momius - stock.adobe.com
Startup uses machine learning to support GDPR’s right to be forgotten
Non-intrusive algorithms enable users to track which companies hold their data, so they can take it back
Machine learning startup Mine is using the technology to help internet users see the full extent of their digital footprint and exercise their right to be forgotten under the European Union’s General Data Protection Regulation (GDPR).
The right to be forgotten was enshrined in law for the first time when the GDPR came into effect at the end of May 2018. It gives individuals the power to request the erasure or removal of their personal data when there is no compelling justification for its continued processing.
However, research released in September 2019 by security software supplier Egress showed that 52% of UK businesses are not fully compliant with the GDPR, while regulators across Europe have imposed fines totalling €114m (£97.5m) since the rules were introduced.
Although only one company so far, ClickQuickNow, has been fined for non-compliance with the right to be forgotten, there could be many more that are not being challenged because of a lack of effective tools and mechanisms to help people exercise their right.
“The GDPR is not being used widely and I think the main reason is that people want to use it, but they don’t really have the tools to,” says Gal Ringel, CEO and co-founder of Mine. He added that it can be challenging for people to know exactly what data, and how much, is being collected about them.
For example, a report released in January 2020 by the Norwegian Consumer Council looked at the data collection practices of 10 mobile apps and found that they collectively transmitted their users’ data to 135 different third parties.
To empower end-users in these situations, Mine uses machine learning algorithms in tandem with natural language processing (NLP) to monitor people’s email inboxes. The algorithms are designed to be non-intrusive, limiting Mine’s visibility of a user’s inbox to just the subject line and sender.
“Our number one priority was not to process or collect personal data,” says Ringel. “And with that in mind, we thought ‘OK, how can we get to the highest coverage of companies collecting your data as a user?’
“Surprisingly, we found out that 90% of the companies collecting your personal data can be found in your email inbox.”
Mine’s algorithm then cross-references the subject line information with the organisation’s privacy policies to determine exactly what data it holds on a user, without having to access the actual content of the emails.
350-400 companies in each digital footprint
So far, Mine has analysed the privacy policies of more than four million digital services to understand what data they collect from users, and while developing the app has discovered that the average user has 350-400 companies in their digital footprint, 80% of which the user interacted with just once.
“Every user has over 350 companies holding sensitive data on them, which is quite shocking,” says Ringel. “Not only that, but this number is growing by eight new companies a month, which means our personal footprint is highly dynamic and changing all the time.”
According to Ringal, the conversation about data privacy needs to focus much more on data ownership. “Privacy is all about putting fences around us, preventing our personal information being shared with other people,” he says. “But the problem with that is that we miss out on the fun – every day we use online services and share our data with companies because it is convenient and efficient. Now, with GDPR, we can actually take our data back whenever we choose.”
Once users know where their data is, Mine helps them reclaim it by submitting automated right-to-be-forgotten requests to the companies with the click of a button.
For users on the trial version of Mine, the startup will email the request to the company and copy the user in to follow up communications. For users paying the subscription fee, Mine will instead work on their behalf and handle communications with the company concerned.
Read more about artificial intelligence
- The European Union and the UK will be left behind in artificial intelligence research and development if they take separate paths after Brexit.
- The second edition of Singapore’s AI governance framework now includes new guidance, use cases and a self-assessment guide.
- CaixaBank uses artificial intelligence to help its staff find and access the most relevant training resources.
Although Mine officially launched on 21 January 2020, it spent the previous year testing the technology behind closed doors.
During that time, the company completed more than 25,000 right-to-be-forgotten requests, with 64% of companies complying with the request within the 30-day timeframe stipulated by the GDPR.
Mine also discovered that 80% of the companies in a user’s footprint were interacted with only once by the user, so the data could easily be deleted by the company if pressured to do so.
“GDPR is super important here because it makes companies responsible and accountable for data in a way that they never have before,” says Ringel. He points out that the 64% completion rate is evidence of how seriously many organisations are taking the regulation.
While Mine, as a business-to-consumer company, is focused on empowering the consumer, Ringel concludes that there is a business-to-business case too, in that it can help streamline the process from the user side.
Going forward, Mine will develop its NLP features further, as well as new business models to help companies and employees understand what data is being collected and stored about them by other companies.