Are Personal Data Well Protected?

Laurence Devillers¹, a specialist in artificial intelligence at Sorbonne University and member of the Allistène ethics committee², and Mattia Walschaers, a CNRS researcher in quantum computing at the Kastler Brossel Laboratory at Sorbonne University, provide some answers.

Does the existence of a European Data Protection Day mean that our data is not protected?

Laurence Devillers: They are not protected enough, especially outside the European Union (EU). In the EU, the RGPD³ obliges manufacturers to anonymize or pseudonymize data and to obtain users' consent, under the supervision of the CNIL⁴. But this is not enough because many actors on the European territory are not themselves European and therefore do not refer to the same laws. While data centers are located in Europe, American platforms are governed by extraterritorial laws that make it possible, in certain cases, for authorities or intelligence services to access data. This was revealed, in particular, by the Cambridge Analytica scandal, the recovery of data in the United Kingdom and the United States in order to influence the politics of these countries.

Developing French and European platforms to exchange, distribute and protect our data is a major axis to creating trusted data markets. The Health Data Hub, an excellent initiative to standardize, exchange and correlate French medical data hosted by a Microsoft⁵ platform, will have to change host.

The portability of personal data and the obligation of interoperability can also be regulatory measures. The idea of sovereignty is above all linked to the security of citizens' data, but also to its use in France and in Europe.

In view of the cyber-attacks of which hospital and administrative IT systems are increasingly victims, it is also necessary to strengthen our research and development in cyber-security.

Mattia Walschaers: The issue of data protection underlies the issue of data use. If companies, especially GAFAM⁶, have so much data on us, it's because we tend to give it away without questioning its use. There is a huge amount of work to be done to educate the public about the real danger of considering that our personal data is not that interesting. There are a lot of tools to secure it, especially encryption algorithms that are very efficient but not always practical for individuals. The problem is that they are also used as weapons to hold our data hostage and demand a ransom.

Is training the general public in the use of digital means the key?

M.W.: Training and educating the general public to understand that not everything on the Internet is acceptable is important. But this is a problem that also affects science. The question of storing the data we get from our experiments is a real concern. Many researchers and PhD students tend to store them on consumer applications like Google Drive or DropBox, which goes against the CNRS guidelines. But if we do it on our own, it's because these tools work and are very easy to use compared to the data management systems offered by research centers and universities. This dilemma between security and everyday practicality has a lot to do with it.

L.D.: There is a somewhat blind trust in American tools, probably due to a lack of knowledge of these tools and a total lack of transparency in what they can do. The easier they are to use, the less questions are asked. I have heard too often that the ethics of a machine is that it disappears. The computer disappears so it is no longer scary. It is, in fact, exactly the opposite: the more intuitive it is, the more the technology is hidden! These are ways to prevent the population from being interested in the real issues. On the contrary, the public must become aware of these manipulations and push the industrialists to follow standards and laws obliging them to be transparent, which unfortunately often comes down to pages that are unfit to be read.

What are the possible solutions to protect our personal data?

L.D.: First of all, we need to train citizens better. Schools must play a role, not only for children but also for parents. Second, with the war on industrial standards between the US, China and the EU, we need all the industrial forces to follow the standards and extend their influence. Then people will be reluctant to work with tools from firms that do not offer these protections. Finally, the EU must support research on these issues and the establishment of independent multidisciplinary committees of academic and industrial experts to audit these systems after they are put into service. We also need to raise awareness of the wealth of data and promote virtuous technologies on the European market.

M.W.: It is indeed our countries that make the laws. The question is no longer whether GAFAM will follow them or not. And if they don't, they must be sanctioned. Personal data is the gold of our century. The last few years have shown us that it can also be used as a weapon of disinformation. Data protection laws are therefore important to put pressure on states outside the EU with regard to all these considerations.

What simple advice would you give us to protect our data?

L.D.: First of all, ask yourself what data is important and think about your privacy. Don't entrust yourself to a machine like SIRI, Alexa or Google Home! It can be of some help but it is not a "friend" and it can collect your data. Unplug the machines when you are not using them.

M.W.: I'm not a cyber security expert but as a user, I almost always refuse cookies. It takes a little more time, but it's a very simple thing to do and it helps protect us a little more from trackers.

¹ Laurence Devillers's portrait
² Alliance des sciences et technologies du numérique
³ Règlement général sur la protection des données
⁴ Commission nationale de l’informatique et des libertés
⁵ Health Data Hub
⁶ Google, Apple, Facebook, Amazon, Microsoft