In a recent publication, the EU Parliament’s research unit delves into the intricate relationship between the General Data Protection Regulation (GDPR) and the realm of Artificial Intelligence (AI). This comprehensive study explores the challenges and opportunities arising from the convergence of these two domains, shedding light on the ways in which law and technology can either counter risks or enable opportunities for individuals and society at large.
The study begins by examining the tensions and proximities between AI and key data protection principles outlined in GDPR, such as purpose limitation and data minimization.
A thorough analysis of automated decision-making follows, evaluating its admissibility, necessary safeguard measures, and the potential right of data subjects to individual explanations. Moreover, the study scrutinizes the GDPR’s provision for a preventive risk-based approach, emphasizing data protection by design and by default.
While the GDPR does not explicitly mention AI, the study highlights the relevance of many of its provisions to the use of AI.
The intersection reveals a tension between traditional data protection principles and the full deployment of AI’s capabilities, raising questions about the interpretation, application, and development of these principles in light of AI’s evolving landscape.
Several AI-related data protection issues remain unaddressed in the GDPR, prompting the need for guidance for controllers and data subjects. The report advocates for a broader societal, political, and legal debate on standards governing the processing of personal data using AI.
This discussion should address the explanation, acceptability, fairness, and reasonableness of decisions about individuals, as well as determine which AI applications should be unconditionally barred and which ones may be admitted under specific circumstances and controls.
The study then examines key GDPR provisions relevant to AI:
- Article 4(1): Personal Data (identification, identifiability, re-identification): Discussing the ‘re-personalisation’ of anonymous data and the inference of additional personal information facilitated by AI and big data.
- Article 4(2): Profiling: Addressing processing accomplished using AI technology, though not explicitly mentioned in GDPR.
- Article 4(11): GDPR Consent: Emphasizing the role of consent in the traditional understanding of data protection, particularly within the ‘notice and consent model.’
- Article 5(1)(b): GDPR Purpose Limitation: Examining the tension between AI and the purpose limitation requirement and the legitimacy of repurposing data for new purposes.
- Article 5(1)(d): GDPR Accuracy: Discussing the requirement for accurate data, especially when used as an output to an AI system.
The Interplay between GDPR and AI
AI’s Evolution and Societal Implications
AI and Personal Data
The study addresses the intersection of AI and personal data, emphasizing the transformative nature of AI applications in analyzing, forecasting, and influencing human behavior. While AI enables more precise and impartial decision-making, it also introduces the risk of discriminatory outcomes. The article underscores the societal significance of AI-based processing of personal data and its potential extremes in the form of ‘surveillance capitalism’ and a ‘surveillance state.’
Establishing a Normative Framework
To ensure responsible development and deployment of AI, the report calls for a comprehensive socio-technical framework that incorporates ethical and legal principles. The framework includes principles such as autonomy, prevention of harm, fairness, and explicability. Additionally, sector-specific regulations, including data protection, consumer protection, and competition laws, are deemed necessary to address the multifaceted legal issues arising from AI’s pervasive impact on European society.
GDPR Compatibility with AI
Although AI is not explicitly mentioned in GDPR, the report outlines how many of its provisions are relevant to AI applications. It acknowledges the tension between traditional data protection principles and the extensive power of AI and big data. The article suggests interpretations and applications of GDPR principles that align with the beneficial uses of AI while maintaining data protection standards.
Challenges and Opportunities
While acknowledging GDPR’s potential to balance data protection and societal interests, the report identifies challenges arising from vague clauses and open-ended standards.
The principles of risk prevention and accountability are seen as directing the processing of personal data toward a ‘positive sum’ game, but the burden of establishing optimal solutions is placed on controllers.
The report underscores the importance of clear guidance from data protection bodies to mitigate legal uncertainty and facilitate compliant solutions, particularly for smaller companies venturing into AI applications.
Policy Indications for GDPR and AI
- Alignment of GDPR with AI. The study acknowledges that the GDPR generally offers meaningful indications for data protection within AI applications. It emphasizes the interpretive flexibility of GDPR, suggesting that it does not inherently hinder the application of AI to personal data or disadvantage EU companies against global competitors.
- Avoiding Major Changes: Contrary to the fear of extensive amendments, the study asserts that the GDPR does not require substantial changes to accommodate AI applications. However, it highlights certain AI-related data protection issues that lack explicit answers in the GDPR, leading to potential uncertainties and costs.
- Guidance for Controllers and Data Subjects: Recognizing the importance of guidance, the study recommends providing controllers and data subjects with clear instructions on applying AI to personal data in line with GDPR principles. This guidance aims to prevent costs associated with legal uncertainty while enhancing compliance.
- Multilevel Approach to Guidance: The study emphasizes the need for a multilevel approach involving data protection authorities, civil society, representative bodies, specialized agencies, and all stakeholders to provide comprehensive guidance on AI applications.
- Broad Societal Debate: To address uncertainties, the study calls for a broad societal debate involving political and administrative authorities, civil society, and academia. This discussion should establish standards for AI processing of personal data, ensuring acceptability, fairness, and reasonability in decisions on individuals.
- Specific Guidance from Authorities: Political authorities, such as the European Parliament and the Council, are urged to provide general open-ended indications about values and ways to achieve them. Data protection authorities, including the Data Protection Board, should offer specific guidance on AI issues where the GDPR lacks clarity.
- Interpretation of Fundamental Principles: The study recommends interpreting fundamental data protection principles, such as purpose limitation and minimization, in a way that does not hinder the use of personal data for machine learning purposes. This includes the creation of training sets and algorithmic models for socially beneficial AI systems.
- Profiling and Automated Decision-Making: To address profiling and automated decision-making, the study suggests imposing an obligation of reasonableness on controllers, particularly when these processes lead to automated decisions. Controllers should also provide high-level explanations to users, allowing them to contest detrimental outcomes.
- Notification Obligations and Information Rights: It may be useful to establish obligations for controllers to notify data protection authorities of individualized profiling and decision-making applications. The study also stresses the importance of specifying the content of controllers’ obligations to provide information about the ‘logic’ of AI systems.
- Empowering Data Subjects: Ensuring the right to opt-out of profiling and data transfers, as well as the right to be forgotten, is crucial. Normative and technological requirements concerning AI by design and by default need to be specified to facilitate these rights.
- Combatting Data Abuse: Strong measures are recommended against companies and public authorities that intentionally abuse the trust of data subjects by using their data against their interests.