The Impact of the GDPR on Artificial Intelligence

[Original paper by European Parliament]

---

Overview:  The report addresses the relationship between General Data Protection Regulation (GDPR) and Artificial Intelligence (AI). Further, the study analyzes how AI is regulated in the GDPR and the  extent to which AI fits into the GDPR framework. It discusses the tensions and proximities between AI and data protection principles, particularly that of purpose limitation, and data minimization. The conducts an in-depth analysis of automated decision-making, the safeguards methods to be adopted, and whether data subjects have a right to individual explanations.

---

Introduction

In the last few decades, AI has gone through rapid development. It is a known fact that AI can lead to social, economic, cultural development, better health care, and the spread of knowledge. However, these opportunities are also accompanied by serious risks, including, discrimination, exclusion, unemployment, surveillance, and manipulation. AI has significantly evolved since it began to focus on the application of machine learning to mass volumes of data. In machine learning applications, AI systems ‘learn to make predictions after being trained on vast sets of examples.’ Thus, AI has become hungry for data and has led to the process of data collection, in a self-reinforcing spiral. This study aims to provide a comprehensive assessment of the interactions between artificial intelligence and the principles of GDPR.

Key Insights

AI in the GDPR: Unlike the Data Protection Directive, the GDPR contains terms referring to the internet (websites, links, and social networks), however, it does not contain the term ‘artificial intelligence,’ nor any terms connected with relating concepts such as autonomous systems, intelligent systems, automated reasoning and inference, machine learning or even big data. But, we will see that there are many provisions in the GDPR that are relevant to AI.

1. Article 4(1): Personal Data (identification, identifiability, re-identification)- In connection with the GDPR definition of GDPR definition of personal data, AI is raised in two key issues: i) the ‘re-personalisation’ of anonymous data, namely the re-identification of the individuals to which such data are related; (ii) and the inference of further personal information from personal data that are already available. Thanks to AI and big data the identifiability of the data subjects has vastly increased.
2. Article 4(2): Profiling- Although GDPR does not explicitly refer to AI, it does address processing that is accomplished using AI technology. The process consists of using the data concerning a person to infer information on other aspects of that person.
3. Article 4(11): GDPR consent: According to GDPR, consent should be freely given specific, informed, and unambiguous. Consent plays a crucial role in the traditional understanding of data protection, based on the ‘notice and consent model,’ according to which data protection is aimed at protecting the right to ‘informational self-determination.’
4. Article 5(1)(b): GDPR Purpose limitation: The concept of a purpose establishes a relationship between the purpose of processing operations and their legal basis. There is an existence of tension between the use of AI and the purpose limitation requirement. The technologies ‘enable the useful reuse of personal data for the new purposes’ that are different from those from which they were originally collected. For example, data collected for contract management can be processed to know customers’ preferences and can be used to send targeted messages. To establish the legitimacy of repurposing data, one needs to determine whether the new purpose is ‘compatible’ or ‘not incompatible’ with the purpose of originally collected data. 
5. Article 5(1)(d): GDPR Accuracy: GDPR requires that data must be ‘accurate and where necessary kept up to date,’ and initiative must be taken to address inaccuracies. This principle is also applicable when personal data is used as an output to an AI system, especially at instances when personal data are used to make inferences about the data subject. 

It has been argued that GDPR would be incompatible with AI and big data, considering that GDPR is based on principles such as data minimization, purpose limitation, the special treatment of ‘sensitive data,’ the limitation on automated decisions. However, this report shows that it is likely that GDPR ‘will be interpreted in such a way as to reconcile both desiderata: protecting data subjects and enabling’ useful applications of AI. 

Between the lines

The report suggests oversight by competent authorities needs to be complemented with the support of civil society. As power relations, collective interests, and societal arrangements are at stake, a public-debate and involvement of representative institutions are also needed. GDPR does not address the issue of collective enforcement, which relies on individual action by the concerned data subject. Enabling collective actions for injunctions and compensations can prove to be an effective mechanism toward effective protection. 

Some policy proposals on AI and the GDPR:

• A number of AI-related data protection issues are not mentioned in the GDPR, which may lead to uncertainties and costs, and may unnecessarily hamper the developments of AI applications.
• Data subjects and controllers should be provided with guidance on AI that can be applied to personal data with the GDPR, and on technologies for doing so.
• The political debate must address what applications are to be barred unconditionally, and which may be applied under specific circumstances.
• National Data Protection Authorities should also provide recommendations and guidance, in particular when contacted by the controllers or in response to data subjects’ queries.
• Guidance is also needed on profiling and automated decision-making. 
• Collective enforcement in the data protection domain should be facilitated.