The City of Amsterdam is stopping a pilot with the AI application 'Microsoft Copilot' because of privacy risks. A recent privacy assessment by SLM Rijk shows that Copilot cannot be used compliantly for the time being. VNG advises municipalities to make a conscious decision as to whether the risks outweigh the benefits.
Copilot can be used for taking minutes of meetings, writing documents and searching emails and chats, among other things. The application is interactive and works with "prompts" where the user can ask questions and the AI utility answers. Through this interaction between the user and Copilot, a variety of data is processed. This data processing must comply with laws and regulations, such as privacy laws.
To ensure that technologies such as Copilot are deployed responsibly, several tools and tests have been developed, including a privacy test (the data protection impact assessment or DPIA). SLM Rijk (Strategic Supplier Management Microsoft) recently conducted this privacy test and discovered a number of risks arising primarily from a lack of transparency.
Several municipalities are already taking advantage of the opportunities offered by generative AI, such as Copilot, offers, but even more municipalities want to be able to do so more effectively, purposefully and reliably. This requires that the products offered by the market meet certain requirements, at least European laws and regulations.
Municipalities will have to weigh for themselves whether they can adequately mitigate or consciously accept the risks that follow from Copilot's privacy test. The information security service (IBD) has submitted a supplementary memorandum (pdf, 168 kB) written that highlights the (possible) consequences for municipal organizations.
VNG believes that municipalities should embrace the opportunities offered by digital technology. Think of data-driven policy, digital twins, process automation and generative AI applications, for example for writing or summarizing texts. In doing so, together we must ensure that this is not done from a market push or from only the business and IT perspective. And always in a way that focuses on the needs and protection of residents and with a clear goal in mind.
'The results of the DPIA confirm our concerns about the deployment of Microsoft Copilot. The risks identified mean that this technology cannot be used safely and legally within our organization at this time. Therefore, we have decided to discontinue our pilot with Microsoft Copilot and not implement the technology for the time being. We concur with SLM Rijk's position that Microsoft must first take concrete steps to eliminate these risks.
