EU’s regulation on data protection and privacy, known as General Data Protection Regulation (GDPR), has an undeniable impact on global technology development and innovation.
Organizations around the world are still digesting all implications of GDPR and, admittedly, are not yet adequately prepared to shift their approach from facing and addressing the Regulation as a bunch of perceived obstacles and problems to rather embracing the vision, accept the challenge, and aim for the many opportunities instead.
The GDPR came into effect in May of 2018 and is the result of the standardization of multiple data privacy regulations and laws across the EU, bringing order and clarity especially for organizations with international operations. While GDPR protects EU residents, it is global in scope in that it affects organizations worldwide which target the European market or provide services managing personally identifiable information of EU residents.
The Regulation empowers individuals (data subjects in the GDPR) and gives them a high degree of control over what, how, and for how long businesses (controllers and processors) can operate with their personal data. Controllers and Processors, under the GDPR, have a series of strict obligations to abide by and technology leaders like Google, Facebook, and Amazon have already felt the brunt of the Regulation and have had to adapt, amend, and update their policies and practices to comply with the GDPR.
To aim at a compliance with the Regulation, organizations must conduct exhaustive internal assessment of their internal processes, governance, and their data architecture and technology platforms, and manage substantial changes covering both the personal and technical aspect of their processes. Seeking external expertise is always wise at any level.
At a minimum, organizations must demonstrate full awareness of all aspects of the data lifecycle and prove they can guarantee at all moments data confidentiality, integrity, and availability. An additional obligation for an organization is establishing mechanisms to detect violations and thus continuously improve processes, security measures, and controls to minimize further occurrences of a concretized and assessed security risk.
Another important GDPR provision is the obligation for organizations to ensure that any processing is supported by organizational and technical measures to ensure data quality and relevance which, implicitly, has the side effect to increase efficiency and efficacy of the same process.
Without getting into any more details of the GDPR, the brief scenario described above already suggests that technology innovations, especially in the realm of Artificial Intelligence (AI), are heavily impacted by the GDPR.
AI is a broad branch of computer science which aims at building “smart” machines and applications which would be capable of performing at a level which can be compared to how a human would react in similar situations.
Artificial Intelligence comes in multiple flavors and is not limited to “self-aware” computers.
AI is already present in our lives with a wide range of applications like Siri and Alexa, self-driving cars, conversational bots, marketing recommendations from websites to even less obvious examples like spam filters and information packet analyzers. Other uses of AI include the crucial support for doctors, radiologists, oncologists performing diagnoses, and researchers in general when analyzing and interpreting medical data with finding patterns and correlations more accurately.
When talking about AI, it is thus not possible to overlook the GDPR because access to data is the key ingredient for any AI application, and what happens to personal data is, after all, the focus of the GDPR.
The European Commission has expressed its views on AI with the release of the communication on “Artificial Intelligence for Europe.” The document describes AI as referring to “systems that display intelligent behavior by analyzing their environment and taking actions – with some degree of autonomy – to achieve specific goals.”
The message delivered by the EU document is clear: “The EU can lead the way in developing and using AI for good and for all” profiting from the opportunities arising from a “Digital Single Market” and the adoption of standardized data protection rules guaranteeing and allowing the free flow of data in the EU all while ensuring cybersecurity throughout the whole process. The Commission is already working to make data sharing in the EU easier and create the legal basis and the conditions to “open up more data – the raw material for AI – for re-use.”
Given the AI reliance on access to data, one must reflect on the legal and ethical framework coming from the GDPR to achieve trust and ensure accountability in the adoption of AI in various domains. Impacting AI applications, the GDPR has specific provisions related to automated decisions and profiling (Article 22) and the rights of the individuals whose data are then treated (Article 15).
The European Data Protection Board (EUDPB) has issued guidelines which help in interpreting these provisions, but we expect additional situations and legal cases to come and provide legally binding interpretations of the various rules and how they do apply.
This is not the only place where the two acronyms clash and need to find a common ground of intent and approach. For an ethical use of AI to be attained, other provisions from the GDPR need to be considered such as, for instance, the principles of fair and transparent processing.
A fair and transparent processing, without incurring into intellectual property violations, would demand organizations to provide information on the data which are used by the AI in input and information on how the output produced by the various algorithms determines the AI decisions and actions. Moreover, AI applications shall be made in a way which do not hinder the honoring of the GDPR rights of individuals with respect to their data.
It is worth noting that the AI community must consider also other EU laws which regulate specific issues at the core of AI development and use, but the GDPR is not a prescriptive set of rules, so the onus is on the organizations to document and demonstrate compliance with the GDPR provisions when processing personal data in an AI context.
As with all other data processing in other domains, GDPR in some cases restricts what can be done with personal data, or at least adds complexity to a proper and legally defensible data treatment but the challenge comes with a great value: increased trust which can accelerate the acceptance of AI solutions by consumers as the EU continues to progress toward a principled, ethical, and regulated data market.
Trust goes hand in hand with cybersecurity and whether an organization implements adequate organizational and technical security measures to protect personal data and privacy against the loss of confidentiality, data integrity, and data availability. Users’ trust is one of the most important issues in modern business and making progress around data privacy and security could lead to a definitive competitive advantage for businesses and further adoption of AI solutions.
Further adoption and increased consumers’ trust could well balance the additional development costs which the regulation is likely to trigger thus the risk of limiting the application scope and features should be minimal. The Regulation also requires organizations processing personal data to ensure their accuracy and relevance. The compliance efforts will bring in more value through improving algorithms and methods while profiting from well-regulated access to massive amounts of high-quality data as required.
GDPR and AI will walk along together; the requirements and obligations from one will need to be modulated by the needs and goals of the other. The European Union is aware of the opportunities which arise from both and understands well that GDPR and AI are companions in a very long journey. The relationship is bound to mature and to give birth to a more precise, secure, and ethical environment.
AI will continue to define the world of tomorrow and is already changing the world of today. Growth in computing power and data availability will create opportunities which will be limited only by our imagination.
However, at the same time, this growth demands a coordinated approach and, according to the EU Commission, it should be developed in an appropriate framework which promotes innovation and respects the Union’s values and fundamental rights as well as ethical principles such as accountability and transparency in a global space.
