The use of artificial intelligence ("AI") within organizations is almost unimaginable. Machine learning, in particular, is a widely used form of AI technology. Because machine learning AI systems generally use personal data, compliance with privacy and data protection laws such as the General Data Protection Regulation ("AVG") is critical. Below is a brief overview of the 8 key AVG concerns for any organization planning to deploy AI technology in its business operations using personal data.
Organizations can have different roles in relation to AI systems. From each role, personal data can be processed. Two privacy roles follow from the AVG: the controller and the processor. The concerns mentioned in the white paper must be followed by the controller. Processors must comply with the instructions of the controller. To ensure this, a processor agreement must be concluded.
To comply with the AVG, any AI system that processes personal data must have a defined, explicit and legitimate purpose for such processing. Developing a (machine learning) AI system involves two stages: the learning stage and the operational stage. Because both stages each have their own purpose, a separate test must be performed for each of these purposes to determine whether they meet the aforementioned requirements. The goals should already be established during the design phase of the system so that it can be assessed whether the system is suitable for the intended purposes and can be appropriately designed.
Like any other data processing, the use of personal data in AI systems must be based on one of the six exhaustive, legal bases provided by the AVG. These can be used to determine whether personal data may be processed and what rights data subjects have with respect to the processing. Personal data obtained unlawfully may never be used in AI systems. Special personal data may only be processed if the controller can invoke a legal ground for exception.
Organizations should provide clarity on the use of personal data in AI systems and ensure that data subjects understand the information provided. When using datasets of personal data obtained through third parties, informing data subjects (in a timely and individual manner) is often a challenge.
Processing (such as collection and use) of personal data should be limited to what is necessary for the specific purpose, including in AI systems. This can be achieved by carefully selecting and managing data sets and minimizing the amount of data used. Also check out the 7 tips for complying with principle of minimal data processing in the attached white paper.
Personal data may not be kept indefinitely. The AVG requires a specific period of time after which data must be deleted or anonymized. With AI systems, it happens more often that data must be kept longer for training datasets and analyzing the operation of the AI system over a longer period of time. In principle, this need not be an obstacle, as long as it can be argued why this longer retention period is necessary and only the data from the datasets that are needed for this purpose are retained.
Data subjects have several rights under the AVG to control their personal data. As a data controller, you have a duty to inform about how to exercise these rights. The rights apply with respect to personal data used throughout the life cycle of the AI system. The data controller is therefore well advised to develop appropriate mechanisms and arrangements already from the design phase to respond to requests from data subjects in a timely and adequate manner.
Data subjects have the right not to be subjected to fully automated decisions, including profiling, that have legal consequences or otherwise significantly affect them. This is different, if the data subject has given his/her consent or such processing results from laws and regulations or an agreement with the data subject. Specific conditions do then apply, for example the data subject's right to human intervention and to object to the decision.
The AI Act considers AI systems to be products, with prior product safety checked. While this indirectly protects against faulty AI systems, data subjects have no direct role in the AI Act and cannot directly exercise their rights (see focus point 7 in the white paper). In contrast to the AI Act, the AVG does guarantee data subjects' right to data protection, when their data is used in AI systems. This is because they have various rights to maintain control over their personal data processed in this context. All the more reason for organizations that deploy AI systems using personal data to comply with the rules of the AVG when doing so.
Download the white paper here: https://kvdl.com/uploads/documents/De-8-AVG-aandachtspunten-bij-gebruik-van-AI.pdf