How is the protection of personal data and privacy evolving concerning Artificial Intelligence? A starting point to reflect on this sometimes complex relationship.
AI has been developing in recent years at an exponential rate, entering the everyday life of everyone. Many questions arise when you consider that machine learning, on which intelligent systems are based, is designed to process a huge amount of data. Where does this data come from? Are they treated ethically and with respect for personal, social, and individual rights? How do privacy protection and artificial intelligence fit together?
How AI works
Artificial Intelligence increases our ability to interpret reality. It can be applied in so many areas: to help the user in the purchasing process, to reach a place, make a translation, receive a medical diagnosis, make a reservation or a phone call, select business staff, even play a game of chess or create a work of art.
To get these types of outputs, AI must have enough inputs (i.e., data) to allow it to draw precise conclusions: the best result will be achieved with a large amount of data at hand or with self-learning (machine learning).
The data that "feed" Artificial Intelligence
data that allow direct identification (personal data and images);
data that allow indirect identification (e.g. tax code, IP address);
data revealing particular characteristics of individuals, such as ethnic origin, religious or philosophical beliefs, political opinions, health status, sexual life and orientation, genetic data, biometric data;
judicial data, i.e. data relating to criminal convictions or offences or related to security measures; and
data relating to electronic communications;
All this data is necessary to "train" the AI, but often, as is obvious, it belongs to someone.
Artificial intelligence and the right to privacy: a trade-off relationship?
When we agree, however, to give up part of the confidentiality of the data (right to privacy) that concerns us, we should realize what this means.
From each of our visits, clicks, and interactions, websites collect, also through AI, a mass of data that is then used to propose content related to us, or useful for us. This is why data can be said to generate value.
The big online platforms (also called "superstar companies") are those that extract value from the huge amount of user data, providing in return profitable services, financed in part or entirely by advertising.
However, we need to be aware of the mechanisms behind these systems, as often what determines "good" or "bad" AI is how it is used.
One of the negative forms of data use is represented, for example, by the manipulation of public opinion through the spread of fake news. Disinformation campaigns, which everyone has come across on the web at least once, are the most common (and most fought) risky use of user data.
The news shown can be completely fake, or highlight only a part of the opinion, a single point of view, thus promoting polarization and the spread of social discrimination.
Particularly risky is the use of AI algorithms to automate decisions in the fields of health, finance, and justice, since based on a restricted dataset they could be influenced by biases in one direction or another.
Even in the political arena, AI's use of users' data can be a particularly thorny topic. As the Cambridge Analytica case testifies, the political debate can be influenced by the information we receive through the Internet and social networks, up to, in the worst-case scenario, a constantly monitored and surveilled society.
For this reason, particular attention is required from the policymaker, who will have to implement new forms of protection to safeguard the sensitive data of the consumer and the citizen-user.
Legislation and new scenarios on personal data protection
Given the need to manage, normalize and regularize the flow of personal data needed, among other things, to feed AI and to regulate the whole complex issue of privacy protection, a code on personal data protection was drafted.
European Community legislation took up the challenge of keeping up with rapid technological evolution, first through Directive 95/46, which then evolved into a full-fledged EU Regulation 2016/679, the so-called General Data Protection Regulation (GDPR).
While there is no clear and explicit reference to Artificial Intelligence, this Regulation is aimed at anyone who acquires and processes personal data from individuals, thus including those who make use of AI systems. In fact, with the GDPR, we are required to:
define the purposes of processing;
inform about the use made of artificial intelligence;
collect consent to data processing and profiling;
determine the legal basis;
assess the impact that the use of AI has on individuals;
give prospectus of how the technology works, to identify the criteria for its operation;
intervene when data subjects' rights are violated;
communicating and informing in cases of data breaches.
In Italy, the European GDPR is implemented on 25/5/18, with the European Data Protection Regulation, also known as the Privacy Act, confirming the assignment of the supervisory role to the Authority Guarantor for the Protection of Personal Data, which must ensure, precisely, the right to protection of personal data and take the measures provided by the legislation.
However, machine learning represents a new element in the already difficult relationship between artificial intelligence and personal data protection. In fact, it could come into conflict with Article 22 of the GDPR privacy 2018 and Recital 71 thereof, in which a general prohibition is expressed to subject the data subject (the one who surrenders data privacy) to automated decision-making processes, devoid of human intervention.
In this sense, an autonomous evolution and change in the conditions of processing by the IA would appear to be unsupported by the contractual basis and, therefore, unlawful.
However, the latest trends in artificial intelligence support the continuous interaction between humans and machines, since the latter would not (yet) be so intelligent as to operate in complete autonomy. Moreover, according to the accountability principle, it is the data controller who has to put in place "appropriate technical and organizational measures" to ensure (and demonstrate) compliance with the GDPR.
The Regulation also introduces the principle of "Privacy by design", according to which data protection must be implemented as early as the design of the technology or process through which data will be processed.
The recent study "The Impact of the General Data Protection Regulation on artificial intelligence", carried out in the context of the EPRS (European Parliamentary Research Service) in June 2020, is part of this approach.
We are therefore witnessing a reversal of perspective, in which the technology itself must, even before existing, be preordained to respect the fundamental rights of sensitive data protection.
This context also includes data pseudonymization, analyzed by the above-mentioned study as a mechanism to ensure the efficiency of AI: in all the information collected, the degree of "personalization" is substantially reduced, in part or entirely, as occurs with anonymization.
Legislation has not yet incorporated the impacts of technological and scientific innovations. The goal is to find the right balance between technological development and personal data protection, between artificial intelligence and privacy, to promote increased transparency of AI systems, given real digital ethics.
(Source: Agenda Digitale – “Intelligenza artificiale, ecco come il GDPR regola la tecnologia di frontiera", 11/10/19, by R. Goretta)