- 13 August 2019
- Privacy and Data Protection
We live in a digital world.
Every facet of daily life is governed to some degree by phone, web or some form of connected technology.
There is no question that advances in technology improves communication. The rate of information exchange now as compared to 10 years ago is staggering. Artificial Intelligence or AI and machine learning are revolutionising the way in which we interact with each other and conduct business.
But are these advances compatible with the principles of fairness and transparency under the General Data Protection Regulations (GDPR)?
Fairness and Transparency
Article 5 of the GDPR requires personal data to be processed lawfully, fairly and in a transparent manner.
Fairness is not defined but the principle is understood to refer to the effect processing has on an individual’s rights and freedoms. The Information Commissioner’s Office, the supervising authority for data protection in the UK considers that fairness means you “do not handle data in ways that people would reasonably not expect and not use it in ways that have unjustified effects on them”.¹
Machine learning is now used to some degree in most every day applications. Some common uses of machine learning are within search engines, browser applications, social media websites like Facebook, AI chatbots, smart assistants such as Amazon’s Alexa, Google Home and Amazon Echo. At the forefront of machine learning is deep learning which analyses massive amounts of data through networks that classify the data based on the results of the previous layer. The accuracy of the results (or model) depends on how much data is analysed; the larger the dataset, the more efficient or accurate the model.
You may have heard about Microsoft’s AI chatbot, Tay which was developed to interact with young people on Twitter. The chat bot was shut down after 16 hours as a result of the results of its learning. After interacting with a number of users, it was taught to post offensive, sexist and racists tweets. This was due to the limited number and nature of the machine’s interactions with users.
Machine learning outputs can therefore discriminate and present a distorted view of the world depending on what and how much data is analysed. If the datasets that are used are limited or from one sub-set of the population, then the model could be inherently biased.
Because of this concern, the GDPR has restricted the use of automated decision making without human intervention when it affects significant decisions of individuals.
Automatic decision making in this context could include the refusal of credit by credit providers or assessing job applications by on-line recruiters.
Such automated decision making is permitted under the GDPR where it is either authorised by law, the person has given explicit consent or the automation is necessary for the performance of a contract.
In the latter two cases, the person must have the right to obtain human intervention and a review of the decision. Consistent with the right to be informed, a person ought be made aware that they will be the subject of automated decision making.
How organisations are meeting these obligations in practice is difficult to gauge; an individual is wholly reliant on the organisation to inform them as to whether any decisions are being made by solely automated means.
This leads to another challenge to compliance which is the inherent opacity of sophisticated technologies. Whilst organisations have an obligation under the GDPR to inform individuals about the nature of any processing, this is often not possible or feasible because of technical complexity or the many layers of collection. Customers are not going to want to read lengthy detailed privacy policies and many will not understand the details even if presented to them.
Recently Google revealed that its staff listen into conversations through Google Home speakers. This was according to Google to improve speech technology by transcribing sets of enquiries. Google also revealed that the devices had at times functioned so that private conversations were being recorded by accident without the user’s knowledge.
Similarly, many people may not be aware that Amazon retains transcripts of conversations held through its voice based assistant, Alexa again apparently in order to train the AI’s responses.²
Artificial Intelligence or AI and machine learning are revolutionising the way in which we interact with each other and conduct business.
Would people reasonably expect their private conversations to be retained and read by third parties?
Both organisations have since come out publicly to defend the technology and said they were investigating.
Concerns surrounding the use of AI technologies were recognised by 122 of the world’s Data Protection and Privacy Commissioners at the International Conference of Data Protection in AI held in October 2018. In their declaration, the Commissioners endorsed the promotion of principles such as those found in the GDPR of fairness and transparency.
They called for common governance principles on AI to be established at an international level. As a first step, the Conference established a permanent working group, the Working Group on Ethics and Data Protection in Artificial Intelligence. It has yet to release any formal publication.
It is hoped that not only will these wider issues be considered at government level, but also on a voluntary basis by the global corporations which are both the purveyors and consumers of our data. Certainly co-operation at all levels will be required if real data protection compliance is to be achieved.
¹ ICO Principle (a): Lawfulness, fairness and transparency: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/lawfulness-fairness-and-transparency/
² Mirror Tech by Shivali Best, Martyn Landi, July 12: https://www.mirror.co.uk/tech/google-admits-staff-listen-customer-17997364
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.
Read, listen and watch our latest insights
- 22 September 2023
Talking Employment Law: New family friendly rights
In this first podcast in the ‘Talking Employment Law’ series, Lucy Densham Brown and Rebecca Dowle, members of the employment team summarise some of the big new family-friendly Bills that are working their way through parliament.
- 20 September 2023
- Commercial Real Estate
Commercial buyers beware of residential Stamp Duty Land Tax
This article discusses a recent case in which a property buyer calculated the Stamp Duty Land Tax due on the purchase at a lower rate, due to the mixed-use purpose of the property.
- 19 September 2023
- Privacy and Data Protection
Organisations’ use of social media: Data protection
Social media applications (or commonly known as ‘apps’) are being developed all the time and we are constantly being introduced to new social media platforms, some of which take almost no time to gain huge popularity.
- 14 September 2023
Entrepreneurial Dreams: What is the Innovator Founder Visa?
In an era defined by innovation and entrepreneurship, the United Kingdom has made a substantial effort towards fostering its reputation as a global hub for start-ups and innovators. The introduction of the UK’s ‘Innovator Founder’ route has marked a pivotal moment in the country’s immigration policy.
- 11 September 2023
- Corporate and M&A
Changes to the tax treatment of Employee Ownership Trusts
The government published a consultation on 18 July 2023 seeking the public’s views on its proposals to reform the tax treatment of Employee Ownership Trusts and Employee Benefit Trusts. Parties are invited to express their opinions via email via the government website until the consultation closes on 25 September 2023.