• Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Core Principles of Responsible AI
    • Accountability
    • Fairness
    • Privacy
    • Safety and Security
    • Sustainability
    • Transparency
  • Special Topics
    • AI in Industry
    • Ethical Implications
    • Human-Centered Design
    • Regulatory Landscape
    • Technical Methods
  • Living Dictionary
  • State of AI Ethics
  • AI Ethics Brief
  • šŸ‡«šŸ‡·
Montreal AI Ethics Institute

Montreal AI Ethics Institute

Democratizing AI ethics literacy

The Impact of the GDPR on Artificial Intelligence

February 20, 2022

šŸ”¬ Research Summary by Avantika Bhandari, SJD. Her research areas cover indigenous knowledge and its protection, human rights, and intellectual property rights.

[Original paper by European Parliament]


Overview: Ā The report addresses the relationship between General Data Protection Regulation (GDPR) and Artificial Intelligence (AI). Further, the study analyzes how AI is regulated in the GDPR and theĀ  extent to which AI fits into the GDPR framework. It discusses the tensions and proximities between AI and data protection principles, particularly that of purpose limitation, and data minimization. The conducts an in-depth analysis of automated decision-making, the safeguards methods to be adopted, and whether data subjects have a right to individual explanations.


Introduction

In the last few decades, AI has gone through rapid development. It is a known fact that AI can lead to social, economic, cultural development, better health care, and the spread of knowledge. However, these opportunities are also accompanied by serious risks, including, discrimination, exclusion, unemployment, surveillance, and manipulation. AI has significantly evolved since it began to focus on the application of machine learning to mass volumes of data. In machine learning applications, AI systems ā€˜learn to make predictions after being trained on vast sets of examples.’ Thus, AI has become hungry for data and has led to the process of data collection, in a self-reinforcing spiral. This study aims to provide a comprehensive assessment of the interactions between artificial intelligence and the principles of GDPR.

Key Insights

AI in the GDPR: Unlike the Data Protection Directive, the GDPR contains terms referring to the internet (websites, links, and social networks), however, it does not contain the term ‘artificial intelligence,’ nor any terms connected with relating concepts such as autonomous systems, intelligent systems, automated reasoning and inference, machine learning or even big data. But, we will see that there are many provisions in the GDPR that are relevant to AI.

  1. Article 4(1): Personal Data (identification, identifiability, re-identification)- In connection with the GDPR definition of GDPR definition of personal data, AI is raised in two key issues: i) the ‘re-personalisation’ of anonymous data, namely the re-identification of the individuals to which such data are related; (ii) and the inference of further personal information from personal data that are already available. Thanks to AI and big data the identifiability of the data subjects has vastly increased.
  2. Article 4(2): Profiling- Although GDPR does not explicitly refer to AI, it does address processing that is accomplished using AI technology. The process consists of using the data concerning a person to infer information on other aspects of that person.
  3. Article 4(11): GDPR consent: According to GDPR, consent should be freely given specific, informed, and unambiguous. Consent plays a crucial role in the traditional understanding of data protection, based on the ā€˜notice and consent model,’ according to which data protection is aimed at protecting the right to ā€˜informational self-determination.’
  4. Article 5(1)(b): GDPR Purpose limitation: The concept of a purpose establishes a relationship between the purpose of processing operations and their legal basis. There is an existence of tension between the use of AI and the purpose limitation requirement. The technologies ā€˜enable the useful reuse of personal data for the new purposes’ that are different from those from which they were originally collected. For example, data collected for contract management can be processed to know customers’ preferences and can be used to send targeted messages. To establish the legitimacy of repurposing data, one needs to determine whether the new purpose is ā€˜compatible’ or ā€˜not incompatible’ with the purpose of originally collected data. 
  5. Article 5(1)(d): GDPR Accuracy: GDPR requires that data must be ā€˜accurate and where necessary kept up to date,’ and initiative must be taken to address inaccuracies. This principle is also applicable when personal data is used as an output to an AI system, especially at instances when personal data are used to make inferences about the data subject. 

It has been argued that GDPR would be incompatible with AI and big data, considering that GDPR is based on principles such as data minimization, purpose limitation, the special treatment of ā€˜sensitive data,’ the limitation on automated decisions. However, this report shows that it is likely that GDPR ā€˜will be interpreted in such a way as to reconcile both desiderata: protecting data subjects and enabling’ useful applications of AI. 

Between the lines

The report suggests oversight by competent authorities needs to be complemented with the support of civil society. As power relations, collective interests, and societal arrangements are at stake, a public-debate and involvement of representative institutions are also needed. GDPR does not address the issue of collective enforcement, which relies on individual action by the concerned data subject. Enabling collective actions for injunctions and compensations can prove to be an effective mechanism toward effective protection. 

Some policy proposals on AI and the GDPR:

  • A number of AI-related data protection issues are not mentioned in the GDPR, which may lead to uncertainties and costs, and may unnecessarily hamper the developments of AI applications.
  • Data subjects and controllers should be provided with guidance on AI that can be applied to personal data with the GDPR, and on technologies for doing so.
  • The political debate must address what applications are to be barred unconditionally, and which may be applied under specific circumstances.
  • National Data Protection Authorities should also provide recommendations and guidance, in particular when contacted by the controllers or in response to data subjects’ queries.
  • Guidance is also needed on profiling and automated decision-making. 
  • Collective enforcement in the data protection domain should be facilitated. 
Want quick summaries of the latest research & reporting in AI ethics delivered to your inbox? Subscribe to the AI Ethics Brief. We publish bi-weekly.

Primary Sidebar

šŸ” SEARCH

Spotlight

AI Policy Corner: Frontier AI Safety Commitments, AI Seoul Summit 2024

AI Policy Corner: The Colorado State Deepfakes Act

Special Edition: Honouring the Legacy of Abhishek Gupta (1992–2024)

AI Policy Corner: The Turkish Artificial Intelligence Law Proposal

From Funding Crisis to AI Misuse: Critical Digital Rights Challenges from RightsCon 2025

related posts

  • Research summary: What’s Next for AI Ethics, Policy, and Governance? A Global Overview

    Research summary: What’s Next for AI Ethics, Policy, and Governance? A Global Overview

  • FeedbackLogs: Recording and Incorporating Stakeholder Feedback into Machine Learning Pipelines

    FeedbackLogs: Recording and Incorporating Stakeholder Feedback into Machine Learning Pipelines

  • A survey on adversarial attacks and defences

    A survey on adversarial attacks and defences

  • Acceptable Risks in Europe’s Proposed AI Act: Reasonableness and Other Principles for Deciding How M...

    Acceptable Risks in Europe’s Proposed AI Act: Reasonableness and Other Principles for Deciding How M...

  • The State of Artificial Intelligence in the Pacific Islands

    The State of Artificial Intelligence in the Pacific Islands

  • Compute Trends Across Three Eras of Machine Learning

    Compute Trends Across Three Eras of Machine Learning

  • Modeling Content Creator Incentives on Algorithm-Curated Platforms

    Modeling Content Creator Incentives on Algorithm-Curated Platforms

  • Putting AI ethics to work: are the tools fit for purpose?

    Putting AI ethics to work: are the tools fit for purpose?

  • Data Capitalism and the User: An Exploration of Privacy Cynicism in Germany

    Data Capitalism and the User: An Exploration of Privacy Cynicism in Germany

  • Is the Human Being Lost in the Hiring Process?

    Is the Human Being Lost in the Hiring Process?

Partners

  • Ā 
    U.S. Artificial Intelligence Safety Institute Consortium (AISIC) at NIST

  • Partnership on AI

  • The LF AI & Data Foundation

  • The AI Alliance

Footer

Categories


• Blog
• Research Summaries
• Columns
• Core Principles of Responsible AI
• Special Topics

Signature Content


• The State Of AI Ethics

• The Living Dictionary

• The AI Ethics Brief

Learn More


• About

• Open Access Policy

• Contributions Policy

• Editorial Stance on AI Tools

• Press

• Donate

• Contact

The AI Ethics Brief (bi-weekly newsletter)

About Us


Founded in 2018, the Montreal AI Ethics Institute (MAIEI) is an international non-profit organization equipping citizens concerned about artificial intelligence and its impact on society to take action.


Archive

  • Ā© MONTREAL AI ETHICS INSTITUTE. All rights reserved 2024.
  • This work is licensed under a Creative Commons Attribution 4.0 International License.
  • Learn more about our open access policy here.
  • Creative Commons License

    Save hours of work and stay on top of Responsible AI research and reporting with our bi-weekly email newsletter.