Privacy & Artificial Intelligence. Key aspects of its development
For months, practically all sectors of society have been talking about Artificial Intelligence (“AI”) and about benefits and risks of the same for minors, for works, for artists and their works, etc.
However, before we begin to consider the potential of AI for all these activities and to worry about its potential, we must begin, first of all, to ask ourselves about risks and characteristics that must be involved in its creation, development and improvement. To do this, one point It is essential to analyze these aspects from the perspective of the use of personal data and the applicable requirements that must be extracted from the General Data Protection Regulation (“GDPR”).
The fact is that several supervisory authorities in the area of data protection, such as Spanish, French, English, etc., have been examining this matter over the years, in order to establish minimum requirements that must be taken into account by these IAs when they are going to process or are going to be trained with personal data.
Likewise, the European Data Protection Supervisor (”EDPS” by its acronym in English) has also taken into account the possible impacts on the processing of personal data on referrals finals that you have submitted relating to the new AI regulation that the European Union is working on
From all these organisms, we can extract some commonalities whose knowledge is essential for AI developers, of whom we would like to highlight the following:
· Define an objective and be transparent with the user and use only data for which we have authorization
The creation of an AI is mainly based on the collection of large amounts of information that help the AI to learn to identify patterns, types of data, types of images, etc., so that it is able to apply this knowledge to the information that the end user then provides.
Both for this training phase and for the production phase, it is necessary that the user whose data is being processed be fully aware of this possibility And that is transparently informed of this fact. For this, it is essential that there is a Clear objective to be able to transfer and explain to the user (e.g.: their data will be processed for the purpose of developing an AI aimed at recognizing X disease in future patients) and to be informed with transparency of possible subsequent treatments.
Even if the personal information to be processed is to be anonymized, the user should be informed that their data will be collected and anonymized for a specific purpose.
In addition, it is important andFind a legitimate basis that allows the processing of personal data of users, since the absence of such data may entail a significant sanction by the supervisory authorities. Not all the data that a company has in its possession can be used for analytical or development purposes, it must be analyzed if this treatment is compatible with the original purpose for which the data was shared by the user.
Finally, it should be noted that the EDPS has recommended that the use of AI be prohibited for purposes of social scoring, recognition of human traits, inference of emotions and the like, which is a clear example that not all the objectives pursued, even if informed and accepted by the user, will be valid in the eyes of legislators and society.
Therefore, it is very It is important to analyze the data we need to limit the access of AI and its developers to minimum possible data, as well as ensuring that such data have not met their reported retention period, since its conservation beyond that period, without notification to the user, would imply violating the information provided to the user and, therefore, violating the principle of transparency and data conservation imposed by the regulations.
· Oversee the continuous improvement of learning and the process and avoid potential risks and discrimination
Although AI has been formed through an appropriate procedure and guided by expert developers, its advantage is that keep improving and learning as it is used by users. However, this involves a risk, because once such AI begins to learn without supervision, may generate situations that result in illegal or unintentional data processing.
For example, it is possible that AI will start to use inputs that have been delivered by an end user (answers, documents, models, etc.) to respond to new inquiries, which implies that personal data of the original users may be leaked to such users.
Likewise, there is also a risk that AI will begin to develop response patterns that may constitute a breach of equality and non-discrimination laws, both because they are based on discriminatory patterns and even if they are based on objective data but have an impact on an area that has wanted to be protected by state laws (for example, an AI aimed at establishing a value for insurance that treats men and women differently)
Likewise, the EDPS has also suggested prohibiting the use of these IAs for the purpose of categorizing people or evaluating their crime risks for a specific person, most likely due to the high impact that these treatments may have on the user and their potential to discriminate
Therefore, it is important to have pcontrol and review procedures of AI that make it possible to address these potential problems before they have a serious impact on end users, either through discrimination against them or through the disclosure of personal information.
· Protecting against the risks of AI models
As you can imagine, AIs haven access to an enormous amount of personal information, who, in addition, in general, is able to perfectly identify the rest of the information provided to him during training and consultations.
This implies that there is a very high risk that an AI, with inappropriate security, could be subject to cyberattacks for the purpose of obtaining personal information, such as identification, banking information, etc., with the great risks that this entails in terms of impersonation, phishing, and the like.
That is why it is very important to establish a safety testing procedure to ensure that AI systems have robust measures that prevent the extraction of the personal information to which they have had access, as well as to limit the conservation of personal data to the bare minimum so as to guarantee the low impact (and, therefore, the hacker's low interest) in the event of any security breach in said system
· User rights and automated decisions
It is important to keep in mind that users will be able to exercise their data protection rights before the companies that own these IAs, which implies that they must be able to provide the user with access to the information that the AI may contain, to rectify it or delete the information.
For example, as with online search engines, if a user knows that the AI in question is showing personal information to third parties regarding their person or a past event of relevance but that is no longer of interest to third parties (for example, a bankruptcy case involving a person that occurred 10 years ago) they have the right, and the company the duty, to have that information deleted immediately.
Also, if there is a automated decision for the user and, according to the recommendations of the EDPS, in high-risk AI systems, it is necessary that they exist human intervention that explains and reviews decisions that this AI has been able to take on specific users and has a significant impact on them.
That is why companies must have a procedure, organizational, but also at a technical level, of course to meet and manage these requests of rights or of challenging AI decisions.
It is because of all the above that it is clear that the development of AI can only be done according to certain rules and, above all, with the human being and their protection present throughout the process, since without the above measures we run the risk of AI becoming a tool whose harm outweighs its advantages for society.
At the business level, it is clear that the processing of personal data will be one of the essential points in the processes that will surely be created for the evaluation and approval of IAs by the competent authorities, so not taking this aspect into account when creating them may entail the complete loss of the investment if it cannot be launched later.
For this reason, it will be essential that, within each entity, a close collaboration between development technicians, engineers and data scientists, IT security personnel and data protection experts if an AI is to be launched on the market.
Article from Enrique Extremera Master, Head of Privacy, Legal Army.