Crucial to AI Act is that organisations using high-risk AI systems must conduct a comprehensive Fundamental Rights Impact Assessment (FRIA). This assessment proactively identifies and mitigates potential harms to individuals. Notably, the FRIA shares similarities with the Data Protection Impact Assessment (DPIA) mandated under the GDPR. This underscores the intersection of data protection and fundamental rights in the context of AI systems.

What is a Fundamental Rights Impact Assessment (FRIA)?

While the EU AI Act does not expressly define the FRIA, it explains what the objective of the assessment is. The Act also states what the assessment must contain. Recital 96 of the AI Act states that “The aim of the fundamental rights impact assessment is for the deployer to identify the specific risks to the rights of individuals or groups of individuals…”. Moreso, the FRIA helps to “identify measures [to take] in the case of a materialisation of those risks”. Orgnaisations must conduct the FRIA “prior to deploying the high-risk AI system”. They are also required to update it “when ... any of the relevant factors have changed”.

In other words, a FRIA is an evaluation of the risks high risk AI systems present in relation to individuals’ rights. It is also the determination of remediation strategies to manage and mitigate the risks in case they occur.

What should a Fundamental Rights Impact Assessment contain?

According to Article 27(1) of the EU AI Act, the Fundamental Rights Impact Assessment should contain the following information:

Interestingly, Article 27(4) of the EU AI Act states that if organisations meet “any of the obligations laid down in this Article […] through the data protection impact assessment conducted pursuant to Article 35 of [the GDPR]…, the fundamental rights impact assessment referred to in paragraph 1 of this Article shall complement that data protection impact assessment”. Essentially, the fundamental rights impact assessment should complement the data protection impact assessment.

Intersection between Fundamental Rights Impact Assessment and Data Protection Impact Assessment

Article 35 of the GDPR states that a DPIA evaluates the impact of processing operations on the protection of personal data. This is especially where the processing operations make use of new technologies and is likely to result in a high risk to the rights and freedoms of natural persons. Based on this, it appears that the FRIA and DPIA relate to the impact, rights and protection of personal data for high risk AI systems and high risk processing operations respectively.

The table below offers a quick overview of the minimum information requirement for the FRIA and DPIA:

FRIA and DPIA in practice

The minimum requirements for FRIA and DPIA differ. Although in practice, both assessments often include additional information, making them quite similar. For example, Article 35 of the GDPR does not mandate the inclusion of data subject categories in the DPIA. However, organisations logically include such details to identify risks to individuals’ rights and freedoms. Similarly, the EU AI Act does not explicitly require the purpose and proportionality of processes in the FRIA. Yet organisations naturally include them when describing the processes and the necessity of the AI system.

What are the differences?

The major difference between the Fundamental Rights Impact Assessment and the Data Protection Impact Assessment is their focus point. The FRIA focuses on how the AI system directly impacts the rights of individuals. The DPIA focuses on how the processing operation impacts the protection of personal data and the rights of individuals.

The table below provides an overview of the major differences between the FRIA and the DPIA:

Summary

The major takeaway is that the Fundamental Rights and Data Protection Impact Assessment play a complementary role. At least, this is the intent of the EU AI Act according to Article 27(4). Therefore, organisations deploying high risk AI systems processing personal data, will have to conduct both assessments. If your organisation is a provider of high risk AI systems, there is no requirement to conduct the FRIA. However, providers must make information available to deployers of the AI system to make the conduct of the FRIA possible. This is because a substantial part of the assessment relies on the information presented by AI providers.

Given that the EU AI Act is new, organisations may struggle with identifying their role in the AI value chain. Orgnaisations may also struggle to comply with requirements based on that role. At TechGDPR, we assess your processing operations, the information provided by AI providers as well as the envisaged implementation of the AI system to help determine what requirements apply under the EU AI Act. We can help you correctly classify the AI system(s) your organization plans to manufacture or deploy, ensuring early detection of any outright prohibitions. This will prevent your organisation from wasting valuable resources on systems not allowed within the EU.

The post Difference between Fundamental Rights Impact Assessment & Data Protection Impact Assessment appeared first on TechGDPR.

With the introduction of the GDPR in 2018, data protection has become a popular topic both from a legal and technical perspective. The importance of efforts around privacy and data protection is personal data and its protection. Under the EU GDPR, there are key elements in the definition of personal data. 

Personal data is any information relating to an –

Article 4 of the EU GDPR mentions some examples of personal data in its definition (Art.4.1). It states that personal data could be ‘ […] an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’. Based on the definition of personal data and the examples stated in the EU GDPR, it may easily be inferred that technical information relating to hardware constitutes personal data, something that the new e-Privacy Regulation is expected to further clarify.

Hardware identifiers

Technical information attributed to hardware could take the form of numeric, alphanumeric or alphabetic codes used to uniquely identify a device or a batch of devices alone or within a network; for instance, the serial number of a device, the IMEI number, model number, MAC address, etc. Serial numbers are unique and assigned by a manufacturer to a device. This device could be a mobile phone, a television, a tablet, audio/video equipment, etc. According to guidance from Samsung, Serial numbers help manufacturers organise and keep track of their products. The IMEI (International Mobile Equipment Identity) number is a number that uniquely identifies a mobile communication device and no two mobile devices have the same IMEI. The IMEI number can be described as the digital fingerprint of your device. The model number is used to identify what type of device you have and applies to a number of devices that share something in common such as the manufacture or release year. While the model number is a hardware identifier, it is not unique to a device as multiple devices can have the same model number.

How can hardware identifiers be personal data?

Since these various numbers are merely hardware identifiers, how could they also be personal data? Of particular interest is the IMEI number which is often seen as the digital fingerprint of your device. Taking the definition of personal data and the IMEI number into account, the IMEI number becomes personal data as soon as it is associated with a person. Consequently, the IMEI number of a smartphone would not be regarded as personal data until it is purchased. However, when a person purchases the smartphone and activates it – which often leads to providing personal details such as name, email address, password or biometrics, i.e. opting for face ID unlock, the IMEI number becomes personal data as it is now linked to other information from the owner/user of the smartphone. 

At this point, the individual elements of the definition of personal data become important. Since personal data refers to information relating to an identified or identifiable person from direct or indirect inference, when various data points are capable of identifying a person, any data being combined with personal data, in turn, becomes personal data.  

Practical examples

Section 171 and 172 of the European Data Protection Board (EDPB) Guidelines on processing personal data in the context of connected vehicles and mobility related applications, states that when a person’s smartphone is paired with the dashboard of a rental car while using Bluetooth or USB connections, a variety of data is processed by the rental car. These might include phone identifiers, voice and data communications, contact lists, web browsing data, personal contacts, schedules, choice of music, radio and other streamed audio or video content, which all reveal personal information. As such, they help draw a precise profile of the data subject. Since IMEIs are being used to lock devices to carriers, blacklist lost or stolen phones, track the location of a smartphone, it is obvious why the IMEI number of a device should be considered as personal data after its purchase and subsequent activation. In addition, Law enforcement agencies routinely use IMEI numbers to track down criminals as well as for other forensic purposes. The use of IMEI numbers to track individuals makes a good case for why the IMEI number is personal data as soon as it becomes associated with a person by purchase, activation or however else. 

This conclusion also applies to all other hardware identifiers which are unique to the device and through which the device or its user may be traced. 

What can I do if I process IMEI numbers in the course of my business operations?

When considering whether your business processes personal data in the form of hardware identifiers, a number of factors are to be taken into account such as whether these identifiers become linked to a person through the purchase of a device, its activation or use. If you are unsure whether such identifiers constitute personal data, request a more detailed assessment from TechGDPR and its experienced consultants who will take your unique business operations into consideration and tailoring your compliance solutions.

The post Hardware identifiers: Is an IMEI number personal data? appeared first on TechGDPR.