Data protection and AI

When discussing technology advancements, it’s hard not to talk about the General Data Protection Regulation (GDPR) at the same time. Technology, has been the principal problem that data protection laws are trying to solve.The GDPR’s focus on technology is much more explicit than its predecessor, the Data Protection Directive.

That’s because technical development allows for more sophisticated and increasing amounts of personal data collection and processing. And with that comes a risk that such advancements would enable data controllers and processors to trample on fundamental rights and freedoms of the individuals.

Artificial intelligence (AI) already plays a role in many decisions that affect our daily lives and data is key ingredient for AI applications. In particular, AI enables automated decision-making even in domains that require complex choices, based on multiple factors and non-predefined criteria. In many cases, automated predictions and decisions are not only cheaper, but also more precise and impartial than human ones, as AI systems can avoid the typical fallacies of human psychology and can be subject to rigorous controls.

However, algorithmic decisions may also be mistaken or discriminatory, reproducing human biases and introducing new ones. Even when automated assessments of individuals are fair and accurate, they are not unproblematic: they may negatively affect the individuals concerned, who are subject to pervasive surveillance, persistent evaluation, insistent influence, and possible manipulation.

Hence, the GDPR and AI confluence raises intriguing issues in policy-related conversations. AI is not explicitly mentioned in the GPDR, but many provisions in the GDPR are relevant to AI, and some are indeed challenged by the new ways of processing personal data that are enabled by AI.

There is indeed a tension between the traditional data protection principles – purpose limitation, data minimisation, the special treatment of ‘sensitive data’, the limitation on automated decisions– and the full deployment of the power of AI and big data. The latter entails the collection of vast quantities of data concerning individuals and their social relations and processing such data for purposes that were not fully determined at the time of collection. However, there are ways to interpret, apply, and develop the data protection principles that are consistent with the beneficial uses of AI and big data.

Controllers engaging in AI-based processing should endorse the values of the GDPR and adopt a responsible and risk-oriented approach. This can be done in ways that are compatible with the available technology and economic profitability (or the sustainable achievement of public interests, in the case of processing by public authorities). However, given the complexity of the matter and the gaps, vagueness and ambiguities present in the GDPR, controllers should not be left alone in this exercise. Institutions need to promote a broad societal debate on AI applications, and should provide high-level indications. Data protection authorities need to actively engage in a dialogue with all stakeholders, including controllers, processors, and civil society, in order to develop appropriate responses, based on shared values and effective technologies. Consistent
application of data protection principles, when combined with the ability to efficiently use AI technology, can contribute to the success of AI applications, by generating trust and preventing risks.

Source: “The impact of the General Data Protection Regulation (GDPR) on artificial intelligence, Study Panel for the Future of Science and Technology, EPRS | European Parliamentary Research Service Scientific Foresight Unit (STOA) PE 641.530 – June 2020