In our previous post, we addressed Artificial Intelligence (AI) data protection concerns. Here you will find some safeguards that may help to address such concerns based on EU Regulation 2016/679, General Data Protection Regulation (GDPR).

The main safeguards provided by GDPR

  • Privacy by design and privacy by default (Article 25 of GDPR)
  • The first—and maybe most important—safeguard introduced by the GDPR with reference to data processing by AI systems is provided through article 25, which sets out the implementation of data protection principles of privacy by design and privacy by default.

    The provision is important to AI providers since they shall design their AI systems so as to ensure that data protection principles (such as minimization, proportionality, etc.) are compliant. Consequences of implementing Article 25 are potentially disruptive in AI providers' perspective, as they will substantially limit data processing (and sharing of data with third parties) through AI systems; this may lead to amending the data-based business model on which they currently rely.

    Moreover, a strict implementation of Article 25 of GDPR may help to reduce the negative impact of some of the privacy-related issues described above: For instance, a correct design of an AI system under Article 25 may help to avoid uncontrolled data processing by an AI system under machine learning features, or it may enhance the overall security of the systems.

  • Automated individual decision-making (Article 22 of GDPR)
  • Article 22 of GDPR sets out that data subjects have the right not to be subject to decisions merely based on automated processing, suitable to produce legal effects on or to affect them. Under this "human-based approach", even when if the processing is carried out by automated means, a data subject is granted the right to object the possible decisions derived from it. It may, however, be difficult to apply such right from a practical perspective, since AI systems are designed not to allow human interventions which may replace the automated decision making.

  • The Data Protection Impact Assessment (DPIA) and prior consultation of the Supervisory Authority (Articles 35 and 36 of GDPR)
  • Under Article 35(3) of GDPR, the DPIA shall be required, inter alia, in case of "a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person." Accordingly, most AI systems would require a DPIA before carrying out any personal data processing. This will require a detailed assessment of AI systems under a data protection perspective, also with regard to the relevant security measures which are applied.

    In addition, "where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk", the data controller shall consult the relevant Data Protection Supervisory Authority under Article 36 of GDPR. 

  • Data subjects' rights
  • All the above safeguards are obviously without prejudice to the data subjects' rights provided by the GDPR, such as the right of access to processed personal data, the right to restrict the processing, the right to erase the personal data concerning the data subject, the right to object to the processing of personal data and the right to data portability. However, such rights may be difficult to exercise within an AI scenario. For instance, just think of the right to data portability, under which the data controller shall provide a data transfer (to the data subject or to further data controllers) "in a structured, commonly used and machine-readable way" (see Article 20 of GDPR).

How about Italy?

As it is widely known, the GDPR applies within the Italian territory starting from May 25, 2018: The same considerations of previous paragraphs are valid also with respect to Italian jurisdiction. Thus, in November 2018 the Italian Data Protection Supervisory Authority (Garante per la protezione dei dati personali – "Garante"), in compliance with Article 35(4) of GDPR, has issued a list of data processing activities which need a DPIA to be carried out mandatorily. Inter alia, subject to obligation of DPIA, are the data processing activities through automated means or which involve a monitoring of data subjects: that is, all data processing carried out by AI systems.

Moreover, the Garante has seriously taken into account the data protection concerns connected to AI implementations and enhancements and has put in place some initiatives to "educate" the users / consumers / data subjects in limiting the intrusiveness of AI systems within their private life. In this regard, some guidelines and generic provisions on the use of "smart toys" (which usually entail processing of personal data of individuals under legal age) are notable.

Final remarks

The local Data Protection Supervisory Authorities will play a key role in setting up the criteria to concretely apply the above-mentioned safeguards. In the meantime, the more sophisticated organizations will likely set up specific governance guidelines when dealing with AI, with such guidelines to address not only the overall technical and data feeding processes, but also a number of legal and ethical issues.

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.