GDPR & Artificial Intelligence: The Rise of the Machines and Article 22
The General Data Protection Regulation (GDPR) became effective on May 25, 2018. GDPR is the widest sweeping privacy regulation to hit the global market since the 1995 EU Data Protection Directive. GDPR is a regulation that requires businesses to protect the personal data and privacy of EU residents (EU data subjects). GDPR considers the protection of personal data of EU data subjects a fundamental right, and therefore requires protection and consent regarding how data subject’s data is used (“data processing”). Failure to process data lawfully can result in tough new fines for non-compliance by companies doing business involving EU data subjects.
With so much data in the universe, savvy tech companies like Google, have aggregated data and monetize it for years, but now with the advent of new technologies like artificial intelligence, data provided by people worldwide has become a gold mine to sell that information to advertisers and anyone willing to pay for it. Generally, it’s a software program with a set of algorithms, that mimic cognitive functions of the human mind. One very interesting capability of artificial intelligence is “profiling”, which is the ability of a software program to take in data points about a particular person (or subject), and draw conclusions about that person (or subject).
Most people have not given much thought that their data is being aggregated by these artificial intelligent machines to profile them on a regular basis. Even if most people aren’t interested in artificial intelligence on a daily basis, or even think about it, artificial intelligence is interested in you. When a person does any sort of activity on the internet, with their cellphone, or with any type of payment system, artificial intelligence is aggregating the data to profile you, to either sell that data to someone else, or to draw conclusions about you and classify you.
Interesting enough, the drafters of the GDPR, thought the protection of personal data was so important regarding this new type of technology that they wanted to prevent it from overtaking the fundamental rights of EU citizens, so protections were codified into the GDPR to deal with this sort of technology. A set of specific provisions within the GDPR affect AI-based decisions on individuals, particularly those related to “automated decision making and profiling”. Specifically, the following recitals and Articles concern “automated decision making and profiling”:
- Recital 70 – Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.
- Recital 72 – Profiling is subject to the rules of this Regulation governing the processing of personal data, such as the legal grounds for processing or data protection principles. The European Data Protection Board established by this Regulation (the ‘Board’) should be able to issue guidance in that context.
- Recital 73 – Restrictions concerning specific principles and the rights of information, access to and rectification or erasure of personal data, the right to data portability, the right to object, decisions based on profiling, as well as the communication of a personal data breach to a data subject and certain related obligations of the controllers may be imposed by Union or Member State law, as far as necessary and proportionate in a democratic society to safeguard public security, including the protection of human life especially in response to natural or manmade disasters, the prevention, investigation and prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, or of breaches of ethics for regulated professions, other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, the keeping of public registers kept for reasons of general public interest, further processing of archived personal data to provide specific information related to the political behavior under former totalitarian state regimes or the protection of the data subject or the rights and freedoms of others, including social protection, public health and humanitarian purposes. Those restrictions should be in accordance with the requirements set out in the Charter and in the European Convention for the Protection of Human Rights and Fundamental Freedoms.
- Article 4(4) – Definitions – ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyses or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;
- Article 13(2)(f) – Information to be provided where personal data are collected from the data subject – In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing: …(f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
- Article 14(2)(g) – Information to be provided where personal data have not been obtained from the data subject –
- (2) In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:
- (g) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
- (2) In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:
- Article 15(1)(h) – Right of access by the data subject –
- (1) The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: … (h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
- Article 21(a) – Right to Object – The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
- Article 22 – Automated individual decision-making, including profiling –
- (1) The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
- (2) Paragraph 1 shall not apply if the decision:
- (a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
- (b) is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
- (c) is based on the data subject’s explicit consent.
- (3) In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
- (4) Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.
- Article 35(3)(a) – Data protection impact assessment –
- (1) Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.
- (2) The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment.
- (3) A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of:
- (a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- Article 83(5)(b) – General conditions for imposing administrative fines –
- (5) Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
- (a) the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;
- (b) the data subjects’ rights pursuant to Articles 12 to 22;
- (c) the transfers of personal data to a recipient in a third country or an international organization pursuant to Articles 44 to 49;
- (d) any obligations pursuant to Member State law adopted under Chapter IX;
- (e) non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).
- (5) Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
Article 22 is the main provision most people consider when they analyze “automated decision making and profiling”, but this provision is interconnected with the other provisions listed above. For instance, to be compliant with GDPR, prior to profiling any EU data subject a controller must carry out a data protection impact assessment as part of its obligations under GDPR, and it must maintain this record (see Recital 82 & Article 30). Additionally, under Article 22, if a controller or processor wants to be compliant with GDPR, it must gain consent from the data subject to profile them or make automated decisions about them. To do this, Article 15(1)(h) entitles data subjects to have right to access of the information about solely automated decision making, including profiling, as required under Articles 13(2) (f) and 14(2) (g), namely: (1) the intent and existence of automated decision making, including profiling; (2) meaningful information about the logic involved; and (3) the significance and envisaged consequences of such processing for the data subject; and (4). Essentially, the controller or processor must inform the data subject what the controller or processor has envisioned to do with the data and request consent from the data subject to profile or use automated decision making on the data.
If the controller or processor cannot obtain consent to profile when using an artificial intelligence solution, then the controller or processor may not profile or use the artificial intelligent solution to process the EU data subjects data. Under Article 83, any sort of processing that fails to process data according to the above outlined guidelines will result in a 20M Euro, or 4% of worldwide turnover, whichever is higher, for the company that processes the information. This means that anytime an EU data subject is profiled or an automated decision is made to draw conclusions about them, the data subject must be informed and consent must be given. A data subject can also object at any time to their data being processed by automated decision making or profiling. If there is an objection, the controller or processor must stop processing the data for this purpose.
For the most part, using software or interacting with the internet or a cellphone, artificial intelligent software solutions are constantly making automated decisions and profiling data about the user, and in many instances information consistent with Article 22’s “why” and “how” the profiling is taking place, or the specific consent to profile, is not being given to the user, which is a violation of GDPR and can result in the most extreme fine (i.e., 20M Euro, or 4% of worldwide turnover, whichever is higher).
However, Article 22 is possibly one of the most important provisions in the GDPR. It just may be the framework the world needs to prevent automated decision making and profiling being used improperly. As artificial intelligence becomes more prevalent, lawmakers and regulators need to protect individuals data, or sometime in the future we may be in a world where the machines take over, something eerily familiar with the Terminator Movie Franchise – in the movie “the Rise of the Machines,” one of the leading characters “Connor” lived with no record of his existence just so he could not be traced by Skynet’s artificial intelligent machines, but the machines were still able to find him when those machines profiled and found his wife. Everyday we are getting closer and closer to a reality where artificial intelligence will be able to profile us with a consistency that it will be hard to determine whether its justifiable without the proper consent. Tracking that consistent and regulating it is going to be the hard part.
Remember, hiring experienced legal counsel is necessary to navigate GDPR’s requirements in order to understand all the risks involved even when using artificial intelligence, automated decision making or profiling individuals. Fines for noncompliance can reach millions of dollars. Choose a law firm with expertise and experience.
