Artificial Intelligence (AI) relies on a few things – collecting large amounts of data and then making autonomous decisions or actions based on the acquired data and certain algorithms or rules to arrive at the resultant decision.
That sounds pretty straightforward – until the new General Data Protection Regulation (GDPR), effective since May 25, 2018, started affecting all EU-based companies and those companies that provide goods or services to EU residents, or who store or process EU resident personal data. GDPR has a major impact on AI development and deployment, with particular emphasis on Article 22, which:
- Limits the use of autonomous decision making systems to process GDPR data.
- Requires that all businesses would generally need to undergo the time-consuming process of obtaining and recording explicit consent from all customers involved.
- Requires that all data subjects (EU resident) have the right to inspect the rules and provide their objection to the decisions made through the autonomous system.
There are also many other provisions that will delay or invalidate the advances of AI development and use in the EU data relevant countries. The net result of the GDPR on the development and rollout of AI systems and technology include higher labor costs to implement, significantly higher costs on innovation and productivity, and competitive disadvantage in the world economy.
Other GDPR impacting issues, including slowing AI development and deployment and increased costs are reflected in the following GDPR requirements:
- GDPR Article 22 requires that companies manually review significant algorithmic decisions – raising labor costs.
- EU data subjects (residents) have the right to explanation for all decisions that were AI based.
- EU data subjects (residents) have the right to erasure (right to be forgotten) which will require manual intervention of AI based systems, which “remember” data they use to train or refine themselves with.
- EU data is restricted from being repurposed for other business objectives or programs.
- EU data used by companies must provide de-identification of the data subjects, and the rules and methods are at this point vague. Companies could face substantial fines and/or rebuilding of AI systems to meet GDPR rule clarification in the future.
- Additional localized GDPR specific rules may be imposed within the EU countries further restricting EU subject data, as does the data-localization rules of GDPR Chapter 5 that impose strict controls on flows of personal data outside of the EU.
The net result is the GDPR has generally a negative effect on AI development and implementation for those companies that must comply with GDPR, will limit both the emergence of European companies that develop and sell AI solutions globally, and the use of AI itself in European companies. For those foreign companies that do business in the EU, there will also be a negative impact, in that AI systems will not be offered. They will be discouraged from offering these services within the EU environment. The EU economy will be impacted because EU companies will be at a competitive disadvantage to similar companies in the Americas and Asia.
GDPR is a good deal for protecting EU resident personal data, but until similar regulations are enacted in other countries and continents, the EU economy will bear the burden and suffer competitive erosion. The way to resolve this is the amend the GDPR to make it more company-friendly and technology-neutral. Further rule clarification is needed, and that will come with time and real-life cases brought before the EU Council that may force them to clarify the rules.
About the Author:
Director of Cybersecurity Solutions
JOIN THE CONVERSATION
Share your thoughts and questions in the comment section below. To get the latest news from PCM, follow @PCM on Twitter, join us on Facebook, or connect with us on LinkedIn. To get the latest news sent straight to your inbox, join our newsletter.