Some DPAs face up to AI challenges

As personal data is increasingly at the centre of advanced economies around the world, the role of Data Protection Authorities becomes more wide-ranging in scope, guiding, battling and sometimes cooperating with the organisations they are working to regulate.

France’s CNIL announces annually its priority sectors for investigations, and this year they include smart cameras, the management of health information and mobile apps.

The CNIL’s focus on mobile apps

The CNIL explains its interest in mobile apps stating that mobile device manufacturers, such as Apple and Google, “provide app publishers with identifiers that allow users to be tracked for advertising, statistical or technical purposes … The systematic use of these identifiers, the "mobile" equivalent of the massive use of cookies on websites, is often carried out without the information or consent of users.”

Following the amendment of the CNIL’s 2020 recommendation on the use of cookies and other tracking devices, “several checks have already been carried out on apps that access identifiers generated by mobile operating systems in the absence of user consent. The CNIL will continue its investigations in 2023.”

Health data from smart devices

In addition to geo-location, there is an ever-increasing amount of sensitive health data being collected. Smart watches are being developed which measure blood alcohol levels (used for measuring impairment to drive vehicles) and sugar levels. Such monitoring raises the question of who is gaining access to this type of data. Health apps have a poor record on transparency, such as sharing data with 3rd parties without most users being aware.

Smart vests for footballers and other athletes are already in use to collect performance metrics. Innovation continues. Smart fabrics are being developed which will monitor heart rate and sweat.

A smart bandage has been developed (The Guardian 25 March 2023 p.25) which could help chronic wounds heal in the form of “ a stretchable, wireless, bioelectronic system that can stick to the skin…. The biosensors mean the “smart bandage” device can monitor features of the wound … metrics that provide important insights into whether the wound is infected and its levels of inflammation….. “All the signals can be wirelessly sent to a user interface [such as] a computer or a cellphone,” said Dr Wei Gao, a co-author of the research from the California Institute of Technology. “We can wirelessly control the drug release…”

The fuzzy borderline between personal and sensitive data

In legal terms, when does personal data processed by such devices become sensitive health data? Companies can re-purpose such data and the metadata has value for them. But people whose data has been used are increasingly demanding a share of the value derived from this data (PL&B International Report October 2022).

DPAs will be increasingly challenged by the use of virtual and augmented reality headsets. While immersive technology is making swift strides ahead, most users are unlikely to realise that the data collected includes eye dilation, eye movement, heart rate increases and changes of mood and emotions.

DPAs and AI

Some DPAs are tackling AI issues. They are likely to be most effective when operating with an optimum combination of commitment, sufficient resources and legal powers and rights, as shown in these examples:

• Italy’s Garante put a temporary stop to the deployment of US-based Replika’s Artificial Intelligence chatbot, although the company would be more concerned if the European Data Protection Board took a similar position
• Norway’s Data Protection Authority has now received government funding to extend the work of its sandbox from AI to also include other subjects
• Korea’s amended Personal Information Protection Act enhances data subjects’ rights by providing the right to refuse or contest decisions made solely by automated means without any human involvement, such as AI-driven systems.

On 15 March, the day after OpenAI released GPT-4(1), the United Kingdom’s well-resourced Information Commissioner’s Office updated its guidance on AI.(2) The ICO states that it “… supports the UK government’s vision of a pro-innovation approach to AI regulation and more specifically its intention to embed considerations of fairness into AI.”

It addresses the following issues relating AI to data protection principles and law:

1. What are the accountability and governance implications of AI?
2. How do we ensure transparency in AI?
3. How do we ensure lawfulness in AI?
4. What do we need to know about accuracy and statistical accuracy?
5. Fairness in AI

Cooperation works

Some companies engage with the regulators. A few years ago, Nike responded positively when the Netherlands Data Protection Authority investigated the data sharing aspects of Nike’s running shoe app (PL&B International Report June 2016 p.14).

The Netherlands DPA has also achieved success in working co-operatively with Tesla. Following an investigation, the company has made the settings of its cars’ built-in security cameras more privacy-friendly. In a win-win, the DPA did not fine or otherwise sanction the company because owners are legally responsible for operation of the cameras and anyway, the company cooperated and changed the way that the cameras worked.

Who’s Watching Me?

AI, the Metaverse, regulatory developments at EU and national levels, Privacy Enhancing Technologies, companies at the forefront of balancing privacy values with commercial aims, and many more subjects feature in 33 sessions with 60+ speakers from 15 countries at Who’s Watching Me? PL&B’s 36th International Conference 3-5 July at St. John’s College, Cambridge.

Make it the professional highlight of your year. We look forward to welcoming you to Cambridge in July.

Best regards,

Stewart Dresner
Publisher, Privacy Laws & Business

April 2023