The Economic Impact of AI

BITKOM, Germany’s digital association, conducted a survey revealing a significant finding: approximately half of all companies surveyed in the EU have already abandoned new, innovative projects. This is due to ambiguities in the interpretation of the GDPR. Fear of potential penalties and legal ramifications could further discourage companies from investing in new AI technologies.

The new AI act, which is still on the legislative agenda of the EU, will largely determine the competitiveness of the AI industry. The act holds the power to shape the EU’s AI industry for the next decade. However, the unprecedented challenge for the EU’s fast-paced tech industry is that of the different member state laws and regulations that prevent innovation. Privacy concerns of EU citizens are also another important topic that directly threatens AI innovation. The EU’s new AI Act envisions an AI regulatory sandbox to establish a sustainable competitive environment for AI technologies while safeguarding citizens’ fundamental rights.

High-risk AI system is also defined in Article 6(1) as: “The AI system is intended to be used as a safety component of a product, or is itself a product, covered by Union harmonization legislation” or “the product whose safety component is the AI system, or the AI system itself as a product, is required to undergo a third-party AI conformity assessment with a view to the placing on the market or putting into service of that product pursuant to Union harmonization legislation.“

AI regulatory sandboxes make it easier for innovators to conduct experiments with high-risk AI systems and test their products with fewer legal procedures. AI regulatory sandboxes also offer legal flexibility, but not absolute immunity.

Looking across all types of AI failures, the most frequent problem is privacy risks. High-risk AI systems have the potential to inflict greater harm upon the fundamental rights of citizens.

Figure: Floridi, L. et al. (2022) ‘Capai – A procedure for conducting conformity assessment of AI systems in line with the EU Artificial Intelligence Act’. (1)

The Role of the EU in AI Regulation

To effectively address the legal implications arising from AI failures, special attention needs to be given to the rules that shape the direction of the regulatory sandbox. These rules include: processing data for public interest, monitoring performance, risk mitigation, secure data environment, data transmission restriction, data subject impact reduction, technical documentation, record-keeping, and transparency for experimenters. These rules, designed to protect the privacy of data subjects, are in line with the General Data Protection Regulation (EU) 2016/679 (GDPR).

Article 54(1)(c) of the AI Act requires effective monitoring mechanisms to identify risks to data subjects’ fundamental rights in sandbox experimentation. If any issue arises that infringes upon the privacy of data subjects, the risks must be mitigated, and, if necessary, the processing halted altogether. Organization must maintain records of decisions and efforts carried out to halt data processing to demonstrate compliance. Each high-risk AI experimentation differs by nature, so a case-by-case examination is necessary. The balancing test between the participants’ interests in privacy and the experimenter’s interests may not practically be determined beforehand or for each experiment. The recommended best practice, also a GDPR Article 25 privacy-by-design requirement, is thus to involve privacy experts in designing the experiments.

Regulatory Sandbox for AI

AI regulatory sandboxes defined in the Article 53(1) of the new AI Act as: “a controlled environment that facilitates the development, testing and validation of innovative AI systems for a limited time before their placement on the market or putting into service pursuant to a specific plan.”

For the experiments being conducted, participants in the AI regulatory sandbox remain liable, and as stated in Article 53(2) of the AI Act, “Member States shall ensure that national data protection authorities and other national authorities are associated with the operation of the AI regulatory sandbox.” Additionally, the corrective powers of the competent supervisory authorities in relation to the data subject rights shall remain unaffected.

The AI Act also introduces practices, such as implementing quality management systems, maintaining technical documentation, and establishing post-market documentation plans, specifically designed for high-risk AI systems. However, the overarching goal is to ensure that these practices harmoniously implement privacy concerns to protect the fundamental rights. As stated in the ICO’s “Regulatory Sandbox Final Report,” practices such as using synthetic data for innovation can also help to reduce the risk to privacy. However, this information is still generated from real data and must be carefully analyzed.

The use of personal data for high-risk AI systems is challenging, but necessary in some cases, such as public health and safety. AI regulatory sandboxes facilitate this possibility, particularly when it serves the public interest in these matters. Nevertheless, supervisory authorities have the authority to halt the experiments if they deem it necessary. The new guidelines from the data protection supervisory authorities and the future cooperation of the European Artificial Intelligence Board are expected to reveal how the AI industry will be shaped within the EU’s Single Data Market policy.

(1) Floridi, L. et al. (2022) ‘Capai – A procedure for conducting conformity assessment of AI systems in line with the EU Artificial Intelligence Act’, SSRN Electronic Journal, p. 57

The post Strategic Compliance in the EU: Balancing Competition, GDPR and AI Regulation appeared first on TechGDPR.

Legal processes: CNIL investigation and enforcement, EDPB procedural rules 

The French data protection authority CNIL announced a reform of its corrective procedures: towards simplified investigation and enforcement actions. A simplified procedure was created in particular for less complex cases. This reform will allow the CNIL to respond better to the increasing number of complaints since the GDPR came into force. Right now the CNIL must respond to numerous complaints, (more than 14,000 in 2021), and there is a constant increase in the number of corrective measures it pronounces, (18 sanctions and 135 formal notices issued in 2021). Thus cases that are not very complex or serious will be subject to a simplified sanction procedure: any case will follow the same steps as the ordinary sanction procedure, (for time limits, adversarial procedure), but the implementation methods are simplified:

• The president of the CNIL chooses a restricted committee, (5 members and a chair).
• The president appoints a designated rapporteur, who is in charge of the investigation.
• The chair of the restricted committee, (or a member they appoint), decides alone and no public meeting is organised, unless requested.
• The penalties likely to be pronounced in this context are limited to a fine of a maximum 20,000 euros and an injunction with penalty capped at 100 euros per day of delay. These sanctions cannot be made public.

The ordinary procedure has also been adjusted and clarified on certain points, in particular: a) extended deadlines for submitting observations, b) the possibility for a new rapporteur to use investigative work carried out by a previous rapporteur; c) the possibility for the president of the restricted committee to decide alone that there is no longer any need to proceed with the case, (eg, if the organisation has disappeared since the start of the sanction procedure). Finally, the CNIL can now send formal notices that do not require a written response from the organisations. In this case, the organisation is required to comply within the set deadline, but no longer has to send evidence to the CNIL within this same deadline. Compliance may be verified by other means, for example during a subsequent inspection. The full infographic, (in French), can be found here. 

The EDPB similarly published its latest procedural rules, restating its mission and guiding principles, procedures and working methods as mentioned in the GDPR, the Police and Criminal Justice Data Protection Directive, and other applicable legislative instruments under EU law. The board shall act independently, and apply  appropriate measures to ensure confidentiality when required, and promote cooperation between supervisory authorities and endeavour to operate where possible by consensus. With regard to the processing of personal data by EU institutions and bodies, the board shall appoint a data protection officer.

Among other provisions, the European Commission shall have the right to participate in the activities of the board without voting rights. Additionally, the board may invite external experts, guests or other external parties to take part in a plenary meeting and may set the agenda. The board may also decide to grant a non-EU country data protection authority the status of an observer, if it is in the interest of the board and certain qualitative conditions are met. You can read the full document here.

Official guidance: the use of web fonts, post-pandemic data

The Bavarian data protection authority, (BayLfD), recently published a statement on the use of web fonts, Data Guidance reports. It specified that a website operator, by integrating the external third-party service, acts as a controller within the meaning of the GDPR. They co-decide on the means and purposes of the processing, and let the third-party provider receive personal data from users. The website operator’s responsibility is limited to the collection and transmission of user data. However, a) no data, (eg, IP addresses), may be transmitted to third-party servers before consent has been given, and b) it must be clearly stated which data is being processed, to whom it is being transmitted, and for what purpose. Finally, the safest data protection solution would be to integrate fonts into a website through self-hosting rather than external hosting. 

Meanwhile, the Baden-Württemberg data protection authority, (LfDI Baden-Württemberg), announced as soon as the COVID-19 pandemic is over it will review all pandemic-related restrictions. The regulator will approach healthcare providers, such as test centre operators and pharmacies, but also other companies and public bodies that have stored 3G evidence of their employees and customers. In addition, it will insist on the deletion or blocking of this sensitive data. Additionally, the regulator stated that health information, such as information on employees’ pregnancies or autoimmune diseases, must not be used inappropriately, for example to terminate employment contracts or to deny promotion, Data Guidance reports. 

Investigations and enforcement actions: IAB Europe’s action plan, Frontex cloud, dismissed CCTV footage case

The Interactive Advertising Bureau (IAB) Europe submitted an action plan to comply with the latest investigation and enforcement by Belgium’s data protection authority, (APD), towards the Transparency & Consent Framework (TCF). The submission of the action plan was needed in the two-phase remediation period foreseen in the decision and should enable a version of the TCF with a broader compliance functionality to be rolled out over a 6-month period under the supervision of the APD. The action plan outlines how IAB Europe, in its capacity as managing organisation of the TCF, will deliver in-depth discussions amongst IAB Europe member companies that implement the TCF and convene in the existing TCF working groups and other instances, as well as IAB Tech Lab. These instances are multi-stakeholder, bringing together:

• publishers, 
• ad tech intermediaries, 
• agencies, and 
• consent management platforms.  

However the submission of the action plan is without prejudice to IAB Europe’s appeal of the decision. It contests a number of findings in the decision, in particular the findings that IAB Europe acts as a data controller of the TC String, (digital signals created to capture data subjects’ choices on how their personal data can be processed), and as a joint controller for the dissemination of TC Strings and other data processing done by TCF participants under the OpenRTB protocol.  

The UK Information Commissioner’s Office, (ICO), has found insufficient evidence to prosecute two people suspected of unlawfully obtaining and disclosing CCTV footage from the Department for Health and Social Care, (DHSC). The leaked CCTV images showed the former Secretary of State for Health and Social Care and his former aide engaged in behaviour contravening social distancing rules. The regulator launched a criminal investigation after it received a report of a personal data breach from the DHSC’s CCTV operator, (EMCOR Group plc).  The ICO had a legal duty to carry out an impartial assessment of security within governmental offices. Forensic analysis revealed that the leaked images were most likely obtained by someone recording the CCTV footage screens with a mobile phone. Six phones retrieved during the execution of search warrants did not contain the relevant CCTV footage. The ICO concluded that there was insufficient evidence to charge anyone with criminal offences under the Data Protection Act 2018.

The EDPS issued a reprimand to the European Border and Coast Guard Agency, (Frontex), for moving to the cloud without proper data protection assessment. This constitutes a breach of the data protection legislation, applicable to Union institutions, offices, bodies and agencies. The EDPS found that Frontex:

• moved to the cloud without a timely, exhaustive assessment of the data protection risks and without the identification of appropriate mitigating measures or relevant safeguards for processing;
• failed to demonstrate the necessity of the planned cloud services, as it has not shown that the chosen solution, (Microsoft 365), was the outcome of a thorough process whereby the existence of data protection compliant alternative products and services meeting Frontex’s specific needs were assessed;
• failed to demonstrate that it limited Microsoft’s collection of personal data to what is necessary, based on an identified legal basis and established purposes;
• breached the accountability principle as well as its obligations as a controller and the requirements of data protection by design and by default.

In addition to the reprimand, the EDPS ordered Frontex to review its DPIA, and ROPA.

Data breaches: tax authority, visa service, medical practice, fashion industry, airport temperature checks

The Dutch data protection authority, (AP), has imposed a fine of 3.7 mln euros on the tax authorities  for years of illegal processing of personal data in the Fraud Signalling Facility, (FSV). This was a blacklist on which the tax and customs administration kept records of fraud, with often major consequences for people who were wrongly on the list. 

The UK Home Office’s visa service apologises for an email address data breach. The private contractor running the service sentan  email to applicants containing more than 170 email addresses. Some of the email addresses appeared to be private Gmail accounts, while others belonged to lawyers from a variety of firms.

In the US, Christie Business Holdings Company, (Christie Clinic), a major medical practice in Illinois, informed 500,000 individuals that their personal information was potentially compromised in a data breach. Christie Clinic said the data breach occurred last year, when a third party gained unauthorized access to a single business email account, likely in an attempt to intercept financial transactions.

The fashion industry also has been in breach of privacy lately. Luxury brand Louis Vuitton is facing a class-action lawsuit filed in New York by a customer who alleged its “Virtual Try-On” feature violates the Illinois Biometric Information Privacy Act. The feature is used for eyewear. Users provide an image of their face, which the customer alleged is collected and stored without knowledge or consent. Meanwhile, the UK branch of cosmetics giant Shiseido has reportedly fallen victim to a data breach involving personal details belonging to former and current employees. Some of them have reported being victims of fraud, with their personal data being used to open fraudulent businesses as well as take out bank loans and insurance. 

The Belgian data protection authority fines the airports of Brussels and Charleroi for Covid temperature checks. These airports did not have a valid legal basis to process travellers’ health data. Since data of this type is sensitive, it cannot in principle be processed, except in a very limited number of exceptions, (Art. 9.2 of the GDPR). Processing for reasons of public health or important public interest is part of these exceptions, based on a legal standard that is clear, precise and whose application is foreseeable for the data subjects. The regulator observed shortcomings in terms of the information provided to travellers and the quality of the impact analyses of the existing protocols.

Big Tech: online data brokerage, WhatsApp for work and school

American TV chat show host John Oliver gave 25 minutes to the Data Brokerage industry, personal data and privacy as the “unregulated” sector’s profile rises into the mainstream. He typically uses even more colourful language in his dissection of the problems, that include political interests in using personal data being partially behind the lack of regulation, and potentially life-threatening situations made possible by data abuse. 

With end-to-end encryption built in WhatsApp is testing Communities, a new feature for larger groups tailored for organisations like schools, and work. The Meta Platforms-owned company says it is comparable to other private messaging services like Microsoft Teams and Slack. But before the launch, major changes are coming to WhatsApp’s Groups feature. Group administrators will now have censorship powers over all chat. Communities, once launched, will also have upgraded safeguards like forwarding limits, and a range of anti-abuse tools.

The post Weekly digest April 11 – 17, 2022: France’s CNIL to simplify investigation and enforcement of minor cases appeared first on TechGDPR.

GDPR and POPIA are fairly similar overall, albeit with some differences in terminology, organisation of the respective articles, and greater specificity on the part of GDPR.

Key Definitions in GDPR and POPIA

A key difference between the Information Regulator (POPIA) and the Supervisory Authority (GDPR)

Responsible parties under POPIA must obtain authorisation from the Regulator in order to:

• process:
  • unique identifiers of data subjects for a purpose other than the one specifically intended at collection and with the aim of linking the identifiers with those processed by other responsible parties
  • information on criminal behaviour or on unlawful/objectionable conduct on behalf of third parties
  • information for the purpose of credit reporting
• transfer special personal information or the personal information of children to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information.
• The above provisions may be applied by the Regulator to other types of information processing by law or regulation if such processing carries a particular risk for the legitimate interests of the data subject.

In comparison, the GDPR’s Supervisory Authority only monitors GDPR compliance

What are the Conditions (principles) for processing personal information in GDPR and POPIA?

For both the GDPR and POPIA, accountability is the central principle for processing personal information. Under accountability, both regulations specify that the controller/responsible party demonstrate compliance with the following conditions (principles):

How does the scope of application of POPIA compare with that of the GDPR?

POPIA and GDPR apply when the responsible party is:

• Domiciled (established) in the Republic/EU
• Not domiciled in the Republic, but makes use of automated or non-automated means in the Republic with the exception of forwarding personal information.

This scope is comparable to the EU’s pre-GDPR Directive-1995. However, the GDPR also applies when the data processed belongs to EU citizens, regardless of the headquarters of the controller/processor, and when EU member state law applies due to international agreements.

What are the exceptions to the prohibition on processing special personal information under POPIA and GDPR?

Under both POPIA and GDPR, responsible parties/controllers may process special personal information if processing is:

• Carried out with the consent of a data subject
• Necessary for the establishment, exercise or defence of a right or obligation in law
• Necessary in order to comply with an obligation of international public law
• Forhistorical, statistical or research purposes to the extent that
  • the purpose serves a public interest and the processing is necessary for the purpose concerned
  • it appears to be impossible or would involve a disproportionate effort to ask for consent
  • sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the data subject to a disproportionate extent
  • Information has deliberately been made public by the data subject
  • Regulator has granted an authorisation upon application by the responsible party on the basis of public interest and established safeguards
•  

How does POPIA’s justification of processing compare with the GDPR’s legal bases

Under POPIA and GDPR, processing is justified when:

• Consent is obtained by the data subject or a competent person when the data subject is a child
• processing is:
  • necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party
  • complies with an obligation imposed by law on the responsible party
  • necessary for the proper performance of a public law duty by a public body
  • protects a legitimate interest of the data subject. This might be interpreted to cover the data subject’s vital interest, a term the GDPR uses, but this is unclear.
  • necessary for pursuing the legitimate interests of the responsible party to whom the information is supplied. POPIA additionally covers the legitimate interests of third bodies here.

Rights of data subjects

How does POPIA compare with GDPR in the following circumstances?

Processing for the purpose of direct marketing

In POPIA and GDPR, the processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail is prohibited. Exceptions to this prohibition are when the data subject has consented to the processing or is a customer of the responsible party subject to subjection. In other words, the responsible party has obtained the contact details of the data subject in the context of the sale of a product/service and they are marketing similar products/services.

Additionally, it is essential that the data subject be given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to direct marketing related use of their electronic details. Direct marketing communication must accordingly contain the details and identity of the sender in addition to an address or other contact information to which the recipient may request that such communications cease.

Transfers outside of Republic under POPIA

The responsible party must not transfer personal information to a third party in a foreign country aside from the following exceptions.

Additional Remarks

• The Regulator may exempt any responsible party from compliance with POPIA for the purpose of satisfying public interest or for the benefit of the data subject.
• Automated decision making is not based on the data subject’s consent but rather on a contract or law/code of conduct. Moreover, POPIA safeguards for automated decision making are narrower than in the GDPR. While POPIA provides only a possibility to make representations, GDPR provides a trio of rights related to automated decision making: obtain human intervention, express the point of view, and appeal the decision.
• Responsible parties under POPIA are able to process personal data in the event that the processing is deemed to be in the data subject’s legitimate interest. However, the phrasing of this concept is ambiguous. Consequently, it will likely become a source of abuse. For instance, a clear line of defence for businesses is to argue that they have actually evaluated the data subject’s interest. Similarly, customary assessments of interests done by marketing departments are reflected in cookie banners like this one.

In the long run, as a cultural shift towards more privacy takes place, friction will increase between individuals who want more privacy and organisations who want more data. Accordingly, regulations like POPIA and the GDPR are essential for working through this friction.

This article is for information purposes only, and does not constitute or replace legal advice. Seek professional support for any specific questions you may have.

The post A Comparison of POPIA and GDPR in Key Areas appeared first on TechGDPR.

1. Is the Opinion 05/2014 by Working Party 29 still valid?

Article 29 Working Party issued comprehensive guidance on Anonymisation Techniques in April 2014 (WP216), setting a high standard for the requirements of true anonymisation, and specifies what is to be interpreted as pseudonymisation – which is merely a method to reduce linkability of a dataset with the original identity of a data subject.

Many applications of DLT requires some verification data to be stored on-chain, which, depending on interpretation and the specific requirements can be seen as anonymous or pseudonymous.

During its first plenary meeting on May 25th, 2018 the European Data Protection Board (EDPB) endorsed a number of GDPR related WP29 Guidelines, but not “Opinion 05/2014 on Anonymization Techniques” by “Art. 29 Working Party”.

The EDPB should clarify whether this opinion by WP29 may be used as a guideline, or ideally issue new guidelines that allow for sufficiently protected pseudonymous data and verification hashes to be recognised as anonymous.

2. Clarification of distribution of responsibilities in a decentralised environment (DLT) according to given roles under GDPR.

The architecture (or topology) of systems using DLT is vastly different from more traditional systems comprising of a client-server, or client-cloud architecture. The GDPR is clearly designed for a client-server architecture, with clear distinguishable rights and duties between a data controller, who is primarily responsible, a data processor, who processes data on behalf of a controller, and a data subject, of whom the personal data is being processed.

This is not translatable into blockchain or distributed ledger technology, where every node could play every role, not overseen by a central entity or system. Participants may have different roles under different circumstances, and may have multiple roles at the same time. In addition, the requirement of concluding a Data Processing Agreement in a public permissionless network is very difficult to fulfil, and other overarching measures may be required.

Clarification of the GDPR roles of the different actors within the blockchain ecosystem, under different circumstances is highly desirable to give innovators enough legal certainty to continue their efforts.

3. Clarification regarding deletion and rectification obligations under DLT.

Under Article 16 and 17 of the GDPR, data subjects have the right to have incorrect personal data corrected, and have their personal data that is no longer required erased.

This poses a problem when using DLT, that primarily derives its trust from its immutability. Because data, including personal data on DLT can not be rectified or erased, and many blockchains are public, the best practice so far is to not directly store personal data on a blockchain but only a verification value, also known as a hash, of some kind. However, as highlighted before, there is no current valid guidance on exact limits of anonymisation, so how this is to be applied remains unclear.

Technical approaches to resolve this problem exist, for example through the ability of nodes to restrict access to certain information, to only allow ‘keyed hashes’, which all have a unique key stored off-chain that can be deleted, or by using a mutable implementation of DLT, which unfortunately hardly ever helps us trust the technology as it relies on a trusted third party and should not be seen as a true solution. Which defeats the appeal of blockchain and DLT.

Within current practices using data backups in more traditional settings, it can also not be assumed that all personal data is effectively deleted, in particular from offline tape backups. It can also be questioned what the technically implementation of ‘deleting data’ in a traditional sense is: under most circumstances this is just ‘unlinking’ data, which can still be recovered.

Further guidance, and more flexibility on the interpretation of deletion and rectification obligations, in particular in a blockchain environment, is requested.

4. Request to ensure future guidance takes the different blockchain and DLT architectures into account.

When the EDPB or other regulators are providing guidance on blockchain under the GDPR, it is essential to understand and consider the different blockchain architectures currently available, and possibly those of the future. A public permissionless blockchain, free to join, participate in and download for everyone, is vastly different from a private permissioned one, related technologies that are technically not blockchain but still fall within the scope of distributed ledger technologies, such as Tangle and Hashgraph, have yet another very different architecture requiring a different approach.

We’d like to urge the regulators and in particular the EDPB to take these fundamental differences into account when issuing further guidance.

The post Blockchain & DLT under the GDPR explained to the European Commission appeared first on TechGDPR.