Data protection and AI
When discussing technology advancements, it’s hard not to talk about the General Data Protection Regulation (GDPR) at the same time. Technology, has been the principal problem that data protection laws are trying to solve.The GDPR’s focus on technology is much more explicit than its predecessor, the Data Protection Directive.
That’s because technical development allows for more sophisticated and increasing amounts of personal data collection and processing. And with that comes a risk that such advancements would enable data controllers and processors to trample on fundamental rights and freedoms of the individuals.
Artificial intelligence (AI) already plays a role in many decisions that affect our daily lives and data is key ingredient for AI applications. In particular, AI enables automated decision-making even in domains that require complex choices, based on multiple factors and non-predefined criteria. In many cases, automated predictions and decisions are not only cheaper, but also more precise and impartial than human ones, as AI systems can avoid the typical fallacies of human psychology and can be subject to rigorous controls.
However, algorithmic decisions may also be mistaken or discriminatory, reproducing human biases and introducing new ones. Even when automated assessments of individuals are fair and accurate, they are not unproblematic: they may negatively affect the individuals concerned, who are subject to pervasive surveillance, persistent evaluation, insistent influence, and possible manipulation.
Hence, the GDPR and AI confluence raises intriguing issues in policy-related conversations. AI is not explicitly mentioned in the GPDR, but many provisions in the GDPR are relevant to AI, and some are indeed challenged by the new ways of processing personal data that are enabled by AI.
There is indeed a tension between the traditional data protection principles – purpose limitation, data minimisation, the special treatment of ‘sensitive data’, the limitation on automated decisions– and the full deployment of the power of AI and big data. The latter entails the collection of vast quantities of data concerning individuals and their social relations and processing such data for purposes that were not fully determined at the time of collection. However, there are ways to interpret, apply, and develop the data protection principles that are consistent with the beneficial uses of AI and big data.
Controllers engaging in AI-based processing should endorse the values of the GDPR and adopt a responsible and risk-oriented approach. This can be done in ways that are compatible with the available technology and economic profitability (or the sustainable achievement of public interests, in the case of processing by public authorities). However, given the complexity of the matter and the gaps, vagueness and ambiguities present in the GDPR, controllers should not be left alone in this exercise. Institutions need to promote a broad societal debate on AI applications, and should provide high-level indications. Data protection authorities need to actively engage in a dialogue with all stakeholders, including controllers, processors, and civil society, in order to develop appropriate responses, based on shared values and effective technologies. Consistent
application of data protection principles, when combined with the ability to efficiently use AI technology, can contribute to the success of AI applications, by generating trust and preventing risks.
Source: “The impact of the General Data Protection Regulation (GDPR) on artificial intelligence, Study Panel for the Future of Science and Technology, EPRS | European Parliamentary Research Service Scientific Foresight Unit (STOA) PE 641.530 – June 2020
Póngase en contacto con nosotros
Esperamos que le resulte útil. Si necesita un representante de la UE, tiene alguna pregunta sobre el GDPR o ha recibido una solicitud de SAR o del regulador y necesita ayuda, póngase en contacto con nosotros en cualquier momento. Estaremos encantados de ayudarle...
Equipo local de GDPR.
Recent blogs
The Future of Finance: Adapting to AI and Data Privacy Laws
The rapidly evolving landscape of financial technology is witnessing a significant transformation w
Navigating the Contradictions: Automated Decision-Making and Regulatory Legislation in AI Systems
The Dilemma of Automated Decision-Making At the heart of AI systems lies the promise of aut
How to Implement the New AI Law in Your Company
The implementation of the AI Act marks a significant stride towards responsible and fair use of art