How can we help?


AI and Data Protection – Is Fair and Transparent Privacy Possible?

We live in a digital world.

Every facet of daily life is governed to some degree by phone, web or some form of connected technology.

There is no question that advances in technology improves communication. The rate of information exchange now as compared to 10 years ago is staggering. Artificial Intelligence or AI and machine learning are revolutionising the way in which we interact with each other and conduct business.

But are these advances compatible with the principles of fairness and transparency under the General Data Protection Regulations (GDPR)?

Fairness and Transparency

Article 5 of the GDPR requires personal data to be processed lawfully, fairly and in a transparent manner.

Fairness is not defined but the principle is understood to refer to the effect processing has on an individual’s rights and freedoms. The Information Commissioner’s Office, the  supervising authority for data protection in the UK considers that fairness means you “do not handle data in ways that people would reasonably not expect and not use it in ways that have unjustified effects on them”.¹ 

Transparency involves requiring any information relating to processing be easily accessible, easy to understand with clear and plain language to be used. This relates to the information an organisation must provide to an individual about data processing usually contained in a privacy policy.

Machine learning is now used to some degree in most every day applications. Some common uses of machine learning are within search engines, browser applications, social media websites like Facebook, AI chatbots,  smart assistants such as Amazon’s Alexa,  Google Home and Amazon Echo. At the forefront of machine learning is deep learning which analyses massive amounts of data through networks that classify the data based on the results of the previous layer. The accuracy of the results (or model) depends on how much data is analysed; the larger the dataset, the more efficient or accurate the model.

You may have heard about Microsoft’s AI chatbot, Tay which was developed to interact with young people on Twitter. The chat bot was shut down after 16 hours as a result of the results of its learning. After interacting with a number of users, it was taught to post offensive, sexist and racists tweets. This was due to the limited number and nature of the machine’s interactions with users.

Machine learning outputs can therefore discriminate and present a distorted view of the world depending on what and how much data is analysed. If the datasets that are used are limited or from one sub-set of the population, then the model could be inherently biased.

Because of this concern, the GDPR has restricted the use of automated decision making without human intervention when it affects significant decisions of individuals.

Automatic decision making in this context could include the refusal of credit by credit providers or assessing job applications by on-line recruiters.

Such automated decision making is permitted under the GDPR where it is either authorised by law, the person has given explicit consent or the automation is necessary for the performance of a contract.

In the latter two cases, the person must have the right to obtain human intervention and a review of the decision. Consistent with the right to be informed, a person ought be made aware that they will be the subject of automated decision making.

How organisations are meeting these obligations in practice is difficult to gauge; an individual is wholly reliant on the organisation to inform them as to whether any decisions are being made by solely automated means.

This leads to another challenge to compliance which is the inherent opacity of sophisticated technologies. Whilst organisations have an obligation under the GDPR to inform individuals about the nature of any processing, this is often not possible or feasible because of technical complexity or the many layers of collection. Customers are not going to want to read lengthy detailed privacy policies and many will not understand the details even if presented to them.

Recently Google revealed that its staff listen into conversations through Google Home speakers. This was according to Google to improve speech technology by transcribing sets of enquiries. Google also revealed that the devices had at times functioned so that private conversations were being recorded by accident without the user’s knowledge.

Similarly, many people may not be aware that Amazon retains transcripts of conversations held through its voice based assistant, Alexa again apparently in order to train the AI’s responses.²

Artificial Intelligence or AI and machine learning are revolutionising the way in which we interact with each other and conduct business.

Would people reasonably expect their private conversations to be retained and read by third parties?

Both organisations have since come out publicly to defend the technology and said they were investigating.

Concerns surrounding the use of AI technologies were recognised by 122 of the world’s Data Protection and Privacy Commissioners at the International Conference of Data Protection in AI held in October 2018. In their declaration, the Commissioners endorsed the promotion of principles such as those found in the GDPR of fairness and transparency.

They called for common governance principles on AI to be established at an international level. As a first step, the Conference established a permanent working group, the Working Group on Ethics and Data Protection in Artificial Intelligence. It has yet to release any formal publication.

It is hoped that not only will these wider issues be considered at government level, but also on a voluntary basis by the global corporations which are both the purveyors and consumers of our data. Certainly co-operation at all levels will be required if real data protection compliance is to be achieved.


¹ ICO Principle (a): Lawfulness, fairness and transparency:

² Mirror Tech by Shivali Best, Martyn Landi, July 12:


About this article

This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

About this article

Read, listen and watch our latest insights

  • 22 February 2024
  • Employment

Time to take the heat off menopausal women

On 22 February 2024, the EHRC released guidance and resources for employers designed to help employers understand their legal obligations in relation to supporting workers experiencing menopausal symptoms.

  • 22 February 2024
  • Employment

Talking Employment Law: What to do if you’re at risk of redundancy

In this podcast, Harry Berryman and Rebecca Dowle, members of the employment team, will talk through the steps that need to be taken for a redundancy to be fair and the range of criteria that can be used when determining which employees will be made redundant.

  • 21 February 2024
  • Immigration

FAQs Partner Visa UK

Discover the UK Spouse Visa: eligibility, finances, relationship criteria, and the latest updates in 2024 for a successful application.

  • 19 February 2024
  • Privacy and Data Protection

The role of Data Protection Officers in ensuring compliance

How many of us receive marketing calls for products and services we did not sign up for?

  • 12 February 2024
  • Employment

The World of Work in 2024- What Can HR Expect?

In many senses, 2024 is unlikely to be a year with radical ruptures from those that have gone before it. The significance of 2024 though, is that it is likely to build upon those megatrends impacting the world of work, which have been emerging for some time now and are only likely to strengthen as we move on in time.

  • 09 February 2024
  • Privacy and Data Protection

Are we suffering from cookie fatigue?

An over-indulgence in Easter treats might not be the only cookie fatigue that individuals will suffer this year according to the Information Commissioners Office (ICO).