Data subject rights need interpretation for the AI age

The one thing most people know who know anything about data protection law is the right of access to one’s personal data and an organisation’s duty to respond in a timely manner. Such a simple concept, in principle, is now becoming more complex as AI becomes ever more prominent, and in some contexts arguably dominant.

Guido Scorza, Member of the Board of the Garante, Italy’s Data Protection Authority, said at the CPDP conference in Brussels, in a pre-event session on 21 May, that privacy is not an absolute right, as it must be balanced with other rights. “We must not prevent innovation” he declared.

At PL&B’s 37th International Conference Scorza will explain how this policy is interpreted by the Garante in its current investigation of Open AI’s ChatGPT and by the European Data Protection Board’s decision-making on these issues. An OpenAI lawyer will give the company’s perspective.

Application of data subject rights in the data scraping era

How should data subject rights be applied in this era of data scraping? Should personal data rights extend to objection to one’s personal data being collected at all for AI training? If so, how would it be achieved? Or should there be an implied right of anonymisation, to not be identified? If even specialists do not know for sure exactly what is going on in an AI “black box” then it would seem that the only way forward is for either objectors’ personal data to not be collected (data minimisation) or that it is filtered out at the output stage.

In this June edition of PL&B International Report, we publish several articles on national and international initiatives in the AI area at EU level but also, for example, in Italy, and Brazil.

AI in Africa

Last month’s conference in Kenya provided practical examples of how AI is being deployed to assist the work of DPAs in Africa with examples from Kenya, Mauritius and Ghana. Not all experiments involve personal data. One was to control an invasion of locusts! But those which do involve personal data show how AI can be deployed for good.

Reclaim your face campaign

A theme at the CPDP conference was whether control of personal data should be processed centrally or at the level of the individual device. Erik Neuenschwander, User Privacy Manager, Apple, US, explained how Apple is adopting a technical approach to privacy protection by shifting the processing for advanced wearable devices and even standard mobile devices to the device rather than central processing.

In describing this on-device processing policy in writing, he acknowledged: “without proper safeguards and privacy brakes, spatial computing including motion and even sentiment could quickly become highly intrusive and compromise user privacy. Left unchecked, harvesting of such data and personal characteristics would be misused to uniquely identify individuals leading to indiscriminate data gathering enabling surveillance down to individual level.”

Neuenschwander raised the question of whether people provide their personal data intentionally. Clearly not, if they are often not even aware of the scope or depth of information collected about them, for example, about their emotions.

Apple’s position is echoed by civil rights organisations. Aware of such risks, the European Digital Rights Network (EDRi) is launching “collective action for the masses” as part of the “Reclaim your face” campaign.(1) It states “our faces can be used for facial recognition to make a prediction or assessment about us – and so can our eyes, veins, voices the way we walk or type on a keyboard…” It describes this phenomenon as “biometric mass surveillance.”

Valuable Data, Priceless Privacy

One can expect that such views will become mainstream, so some organisations are taking action. These tensions will be well covered by 82 speakers from 16 countries in PL&B’s 37th International Conference, 1-3 July, now fast approaching. Although only a few in-person places remain, there are an unlimited number of online places.
We look forward to you engaging with your peer groups for what many people tell us is the uniquely valuable and enjoyable highlight of their professional year.

Stewart Dresner
Publisher, Privacy Laws & Business

REFERENCES
  1. reclaimyourface.eu - EDRi is a network “defending rights and freedoms online - a dynamic and resilient collective of 50+ NGOs, as well as experts, advocates and academics working to defend and advance digital rights across Europe and beyond.”

June 2024

News & Blogs

June 2024 Report Contents

Next