Date Published 13 Apr 18
Artificial Intelligence and the problem with privacy.
This blog post discusses how the General Data Protection Regulation (GDPR), if properly enforced, can support organisations deploying artificial intelligence (AI) with the appropriate governance. As digital ethics and privacy become increasingly intertwined, it is crucial to ensure we set clear guidelines about what businesses can and cannot do with people’s data.
Technology is changing our day to day lives and we should embrace this development. When it comes to AI, the issue is not innovation, or the pace of technological improvement. The real problem is its governance, the ethics underpinning it, the boundaries we give it and, within that, the roles for defining the solution to these problems.
Now, when it comes to privacy – can we really teach AI technology to embrace data protection principles? We have seen over the past few weeks, with Facebook being a prime example, how privacy (or the lack of it) is a major issue and we must address it. With the General Data Protection Regulation coming into force in May, data breaches will become more and more expensive for organisations and AI needs to be able to adhere to the GDPR. Is this possible?
Looking at some of the core principles that sit at the heart of the GDPR, there is clearly some scope for securing AI.
Let’s take the right to fairness as an example. This, as defined by the GDPR, requires all processing of personal information to be conducted with respect for the data subject’s interests, and that the data be used in accordance with what he or she might reasonably expect. This principle also requires the data controller to implement measures to prevent the arbitrary discriminatory treatment of individual persons, and not to emphasise information that would lead to arbitrary discriminatory treatment. Now, if enforced, the GDPR could potentially lead to a review of the documentation underpinning the methods AI employ in the selection of data, an examination of how the algorithm was developed, and whether it was properly tested before it came into use. This is particularly important as one of the issues around AI is that it is based on data input by humans and (to varying degrees) humans all present a natural bias which AI simply amplifies, an issue that was recently explained in the Guardian.
Another key principle is data minimisation, which would force developers to consider how to enable AI to achieve a set objective in a way that is least invasive for the data subjects. This goes alongside the principle of purpose limitation which regulates that the data subject exercises control over his or her own personal information.
The transparency in processing requirement as stipulated in the GDPR may prove more tricky to adhere to as the advanced technology is often too complex to understand and explain. Similarly, black box learning* makes it practically impossible to explain how information is correlated and weighted in a specific process. Furthermore, commercial information may also be used, and this makes it harder to inform the data subject. However, enforcing the GDPR means organisations must adopt a pragmatic approach so that machines can meet this transparency principle. To that end, the legislation is very clear and potentially very effective, especially in relation to automated decision making.
It was disappointing to see that the right to an explanation** did not make it into the GDPR itself. It is mentioned in the preface which is not binding and cannot of itself grant the right to an explanation. However, irrespective of that, the legislation does seem to suggest that the data controller must provide as much information as possible. The debate is open, and court cases will determine the extent of this. Pressure coming from the public will be crucial in shaping some of these decisions.
What is good to see is that practical steps, focused on a privacy by design approach, can be implemented to ensure that AI meets the GDPR and ensures the right to privacy. Although the legislation does not go as far as it could, it is the first step we need on the road of defining the principles governing the machines that, some say, are governing us.
*When rules are applied AI does a lot of complex math. This math often can’t be understood by humans, yet the system outputs useful information. When this happens, it’s called black box learning. We don’t really care how the computer arrived at the decision it’s made, because we know what rules it used to get there.
**The right of explanation refers to the right to know the algorithm underpinning a decision. It didn’t make it into the GDPR in its original form.
Ivana Bartoletti - Head of Privacy and Data Protection
Please complete the below form