Artificial Intelligence and GDPR
The interaction of Personal Data Protection and Artificial Intelligence (AI) becomes particularly interesting when issues arise from the use of personal data with AI.
General Data Protection Regulation (GDPR)
The new General Data Protection Regulation (GDPR) of the European Union (EU), which entered into force on 25 May 2018, aims to give control to citizens of and residents in the EU over their personal data.
Regarding Artificial Intelligence, in particular, GDPR aims to create transparency rights and safeguards against automated decision-making, meaning decisions that are made by machines when personal data is used.
In essence, GDPR states that:
- When companies collect personal data, they have to say what it will be used for, and not use it for anything else.
- Companies are supposed to minimize the amount of personal data they collect and keep, limiting it to what is strictly necessary for those purposes stated. They also are supposed to put limits on how long they hold that data, too.
In short, companies must tell people what data they hold on them, and what’s being done with it.
- Companies should be able to alter or get rid of people’s personal data if requested.
- If personal data is used to make automated decisions about people in an AI system, companies must be able to explain the logic underpinning the algorithm used for the decision-making process, i.e., the general functionality of the automated system.
In particular, Article 22 of the GDPR grants individuals the right to contest a completely automated decision if it has legal or other significant effects on them.