The GDPR – and why AI should care
Since May 25, the processing of European personal data has been governed by the regulative frame of the General Data Protection Regulation (GDPR). This regulation, while still being somewhat an interrogation point on many issues, nevertheless brings valuable input into the European effort to address the question of how to deal with personal data.
Since artificial intelligence (AI) is driven by data, experts in this field will have to shed light regarding the impact of the GDPR on one of the hottest topics of the current digital era – especially in a geographic area in which ethics and societal issues are taken very seriously.
How the GDPR offers a frame for a powerful and secure AI
By implementing the GDPR, lawmakers created visibility and therefore transparency of data. The right of access (art. 15), as well as the right to be forgotten (art. 17), or the right to explanation (art. 15), make data transparency a must that forces each processor of personal data to tidy up their business. That means, “that companies such as Facebook and Google, at least when providing services to European users, must explain their algorithmic decision-making processes.”
This standard of accountability that companies must achieve will increase the standard of AI neural networks and force all of us to use an AI we can understand and control. This might seem like a restraint in the short term, but it will help us establish relations with customers that are built on trust – a value that is absolutely essential to the success of AI.
Next to transparency, the biggest and most substantive benefit of GPDR to AI is increased data quality. This is the European Commission’s primary argument for the positive impact of the GDPR on its AI strategy: “The principle of accountability enshrined in the GDPR is set to foster the accuracy of data. […] Data quality, as fostered by the GDPR, is crucial.”
Indeed, if you feed your AI with bad data, you’ll soon reap bad results. When it comes to AI, the “garbage-in, garbage-out” approach is simply not a solid base to start with. To accept poor quality standards has two direct consequences: First, the time spent to repair approximative results. “It is time-consuming, tedious work (taking up to 80% of data scientists’ time), and it’s the problem data scientists complain about most.” Second, the prejudices and bias that emerge from bad AI: “When the wrong data is fed into the algorithms, they also make the wrong decisions.” In this light and by ensuring data quality, the GDPR may just be the good friend AI needs to avoid getting out of control.
By making sure the handling of personal data is transparent and qualitative, the EU gives itself the frame that will make its further goal possible: “It [GDPR] guarantees the free flow of personal data within the Union.” This free movement of data, that only can exist if based on a common understanding of transparency and data quality, will finally give rise to a solid and healthy buffet – and will give to AI an all-you-can-eat option.
While the GDPR might seem to be quite nit-picking, it actually perfectly fits the vision Europe wants to have of AI: “This is where the EU’s sustainable approach to technologies creates a competitive edge.” This vision is not only embraced on a supranational level, but also by today’s leaders. French President, Emmanuel Macron, said: “Europe has not exactly the same collective preferences as the US or China.” Embedded in the pursuit of an “appropriate framework which promotes innovation and respects the Union’s values and fundamental rights as well as ethical principles such as accountability and transparency,” the EU is betting on the trust race AI implies. Therefore, acceptance by consumers will be just important as the need for innovation. On this road, the GDPR sets the first regulatory framework. “This is how the EU can make a difference – and be the champion of an approach to AI that benefits people and society as a whole.”
GDPR as a challenge:
The relation between AI technology and the GDPR is multidimensional. One the one hand, the story tells us that AI effectively helps detect GDPR violations. One the one hand, several elements of the GDPR themselves challenge the effective use of AI. There are, in fact, four aspects of the regulation that create legal issues when it comes to the use of artificial intelligence: the principle of data minimization, the principle of transparency, the right for access related to the automated individual decision, and the admissibility of the automated individual decision as such.
The principle of data minimization means that to collect personal data for necessitated processing, means must be restricted (art. 5 Abs. 1 lit.). With this principle, the regulatory idea is to avoid the uncontrolled massive collection of data in order to get as much insight as possible into the lives of citizens to offer them better service. Yet the core logic of big data, but also of AI, lies precisely in getting more data in order to raise the quality of decisions. Let’s take machine learning as an example. With each additional input data, such as face visuals, the face recognition program will have a higher and safer output quality. While the legislator’s intention wasn’t to restrict the use of AI, the principle of data minimization still certainly poses a problem that the AI technology will have to deal with.
The implementation of the principle of transparency, whose goal is to make the data processing process and the logic of data-based decisions understandable, is often problematic when dealing with AI. It will be difficult to apply the requirements of transparency to the black-box-process experienced by deep learning techniques – let alone knowing that even experts still struggle with that matter. It will, therefore, be quite difficult to satisfy the right of access and to explain the logic of automated individual decisions (Art. 15 Abs. 1 lit. h GDPR): Either such a right won’t be possible, or it will be too vague to provide any valuable information.
Finally, there is the problematic embedding of AI in the context of Art. 22 of the GDPR, which rules on the admissibility of automated individual decisions. It is indeed the right of each individual to refuse being the subject of a fully automated decision-making process. The targeted content of art. 22 is mostly data analysis that would lead to discrimination, manipulation, and heteronomy. First, it remains to be seen whether this precept applies to AI-based decisions that don’t involve a concrete individual but rather a group of people (for example the population of a specific neighborhood). Second, the precept of a human intervention within automated individual decisions with an “appreciably affecting” effect brings up many questions: What exactly is “appreciably affecting”? How does it deal with impairments that are not perceptible yet? How far and how consistent should the “human intervention” be in these technical processes?
Toward a global debate about data ethics:
The GDPR, in its current version, is mostly liberal when it comes the use of algorithms and AI. It actually even provides the disciplined and solid framework the EU wanted to implement in order to guarantee its further AI strategy – the emergence of a qualitative AI based on transparent, accountable, and simply good data. However, the open questions could lead to substantial uncertainty in the field of development. Acknowledging the potential of AI technology, a solid and clear line should be defined as soon as possible during this early stage. Where there is no clear ruling – as for example in the field of societal risks and social fairness –, a global social discourse must emerge about data ethics.
 See European Commission: The Age of Artificial Intelligence, in EPSC Strategic Note, p.6.
 If your data is bad, your machine learning tools are useless, in URL: https://hbr.org/2018/04/if-your-data-is-bad-your-machine-learning-tools-are-useless.
 See Communication Artificial Intelligence for Europe, in URL: https://ec.europa.eu/digital-single-market/en/news/communication-artificial-intelligence-europe.
 Emmanuel Macron talks to Wired about France’s AI Strategy, in URL: https://www.wired.com/story/emmanuel-macron-talks-to-wired-about-frances-ai-strategy/.
 See Communication AI for Europe.