“Data protection is at the forefront of the relationship between AI and the law,” as noted in the introduction to a study on the impact of the General Data Protection Regulation (“GDPR”) on artificial intelligence (“AI”), commissioned by the European Parliament (the “Study”). The Study was released on 29 June 2020, along with another important report on AI, an opinion of the European Data Protection Supervisor (“EDPS”) on the European Commission’s White Paper of February 2020 on AI (the “Opinion”).
The Study and the Opinion both acknowledge the growing importance and impact of AI, but warn about risks for both individuals and society.
The Study calls for a robust legal and ethical “socio-technical” framework which upholds the EU’s fundamental rights and values and preserves the “social good”. Nevertheless, it believes “there are ways to interpret, apply, and develop the data protection principles that are consistent with the beneficial uses of AI and big data.”
However, the Study notes that the GDPR “abounds in vague clauses and open standards.” It therefore calls for regulators to publish more guidance to help controllers and ensure that the EU remains internationally competitive. Such guidance is particularly needed as “the GDPR offloads the task of establishing how to manage risk and find optimal solutions onto controllers, a task which may be both challenging and costly.” The Study advocates a balance between allowing innovation but remaining “responsible”.
Amongst other things the Study:
- suggests a distinction between using personal data in a training set to build an algorithm and in drawing conclusions about individuals. The former, provided sufficient controls are in place, can be justified (potentially by the legitimate interest basis). The latter is likely to need free, specific and informed consent; and
- refers to the CJEU’s decision in the Schrems v Facebook case (Case C-498/16). Contrary to this decision, it argues that making collective actions easier would help data subjects to enforce their rights and obtain redress.
Overall though, the Study concludes that there is “no urgent need to make broad changes to the GDPR” in light of the advancement of AI.
The European Commission published its white paper on AI in February 2020 (see our blog). The EDPS had previously given informal comments to the European Commission on the draft of the White Paper in January 2020 and recently published its formal Opinion on the paper, building on its initial comments.
The EDPS’ primary objective is to ensure that European institutions and bodies respect the right to privacy and data protection. Unsurprisingly, the Opinion is therefore more concerned with the risks of AI, warning that it is no “silver bullet” for all society’s problems. It stresses risks that (in its view) the White Paper did not address, such as “the human tendency to trust in automated decision-making systems blindly.”
The Opinion also regrets that the White Paper did not provide a single, clear definition of AI. It calls for this to be formulated so that such definition can “frame the scope of actions and possible future legislative proposals.”
There is particular concern about biometric identification technologies (which not only recognise faces but also gait, fingerprints, DNA, voice, keystrokes etc.). Despite their potential benefits, brought into focus by the Covid crisis, the Opinion calls for a “moratorium” on their deployment until “an informed and democratic debate can take place” and suitable safeguards can be put in place.
It adds the general observation that “data protection rules are designed primarily to protect individuals.” Hence the Opinion suggests the GDPR may not be effective for issues which affect a whole neighbourhood, such as the deployment of predictive policing. The Opinion therefore calls for any future AI-related regulations to protect “collectives and society as a whole”, in addition to individuals.
That said, the EDPS is not convinced by the White Paper’s view that there are regulatory gaps which need addressing by way of new AI-focused legislation. It notes that many of the risks identified in the White Paper apply equally to other new / emerging technologies; the Opinion therefore calls for “a sound regulatory gap analysis” to inform any proposals for a future AI regulatory framework.
The Opinion concludes, like the Study, that the GDPR is “technology-neutral” and “no obstacle for the successful adoption of new technologies, in particular AI.”
"there are ways to interpret, apply, and develop the data protection principles that are consistent with the beneficial uses of AI and big data"