GDPR requirements are here and making waves--especially when it comes to artificial intelligence.
If you've spent any time online, you've likely received several emails recently from online services outlining how personal data is collected, stored and used. These emails stem from implementation of the European Union General Data Protection Regulation (GDPR), which is among the world’s toughest online privacy rules. U.S. companies are subject to GDPR compliance if they collect personal data from anyone in an EU country.
The new regulations are designed to give Internet users more control over what is collected and shared about them. Organizations that don't meet the GDPR requirements face punishments including fines of up to 4 percent of global revenue. Data released by Alert Logic on May 24--the day before the GDPR requirements went into effect--showed that only 7 percent of companies were on track to achieve compliance with GDPR. The majority of firms that weren't ready for GDPR cited a lack of expert staffers as the reason for their noncompliance, according to the data, which came from the Crowd Research Partners’ 2018 GDPR Compliance Report. Budgetary limits and a lack of understanding of the requirements of GDPR were also given as reasons for noncompliance.
Impacts on AI and Data Availability
Ready or not, the impact of GDPR will be far reaching, and one area that will feel the effects sooner rather than later is artificial intelligence.
"GDPR will, undoubtedly, have an impact on the development and use of AI technology," said K.J. Dearie, a product specialist and consultant for Termly.
Companies subject to the European legislation will need to get explicit permission from users when they seek to collect, process, store, transfer, or otherwise use their data — and data is what AI needs to learn.
"AI relies on data for training — the larger the volume and the more specific the data, the smarter the AI," said Bassam Khan, vice president of product marketing at the IT analytics firm ControlUp.
And the more data available for machine learning, the better a system's predictions will be.
"As artificial intelligence is built on droves and droves of data, companies that utilize AI will have an added barrier to deploying this technology," Dearie said.
ControlUp believes that the GDPR requirements for a subject's "right to access" and "right to erasure" of personal data is relevant only to machine learning platforms that retain personal data, Khan said. The ControlUp model learns from and then discards training data, for example.
For companies subject to GDPR requirements, users who interact with the company's AI will need to be informed of the data being gathered, and then have to give their consent for that data gathering. "With this step being mandated by the GDPR, companies can no longer encourage interactions between website visitors and AI features without considering who that customer is and if they have given their consent to have their data collected," Dearie said.
"With respect to processing that has direct legal effects on the customer, such as credit applications, e-recruiting or workplace monitoring, the GDPR will limit the usefulness of AI for these purposes," said Lily Li, a privacy lawyer based in Irvine, California who focuses on privacy and cybersecurity law. Under Article 22 and Recital 71, companies would generally need to get explicit consent from all parties involved, a time-consuming process.
Human oversight will be critical in teaching machines how to tell which GDPR regulations need to be followed and which do not, ControlUp's Khan said. "With GDPR, system admins will have to consider a platform that can expedite the sorting of good versus bad data with new GDPR rules based on evaluating the source of its data. IT operations that use third-party data may see an increase in cost or new policies as the world pauses to consider the sources of data and the legal risks they face by using it.
The GDPR Upside for AI
All of this is not to say that there won't be any upside to GDPR when it comes to AI. In fact, Termly's Dearie believes that harmony between GDPR and AI can be established.
"For instance, AI may well be employed as the means by which companies obtain necessary user consent, and can be used to create an interactive experience between the consumer and the site that facilitates a better understanding of that site’s data privacy practices for the user," Dearie said.
And, longer term, there may be benefits for fraud detection, as well, said Li, the privacy lawyer.
"With respect to fraud prevention and breach detection, the GDPR will increase the usefulness of AI," Li said. "Since AI detection of cyber threats will likely protect the rights of customers, and serves legitimate interests as recognized in Recital 47, GDPR will spur investments in AI cybersecurity."