August 23, 2019

Catch-22? Developing AI Under GDPR

PA Images/PA Wire/Scanpix.
Person using a laptop. GDPR set a gold standard for privacy protection when it rolled out in May 2018.
Person using a laptop. GDPR set a gold standard for privacy protection when it rolled out in May 2018.

Estonia has always taken great pride in staying at the cutting edge of merging technology and government.

With 99% of state services online and a back-end digital infrastructure for facilitating synergy between government databases, the small Baltic country hosts a big suite of high-tech tools.  In recent years, it has remained progressive even on the latest digital frontier of artificial intelligence (AI).  AI or machine learning is already implemented in 13 projects across the country, where algorithms aid or substitute human decision-making in agriculture, school enrollment, and even courts of law.  The Kratt Report, published in May, presented a national plan to accelerate AI development in both the private and public sectors.  Despite Estonia’s present advancement, however, one unexpected threat may stifle further AI progress: privacy regulations in the EU.

GDPR set a gold standard for privacy protection when it rolled out in May 2018.  The General Data Protection Regulation, or GDPR, is a law regulating data protection and privacy for all EU citizens, as well as the transfer of such information outside the EU. It is widely regarded as establishing the most protective data and privacy regime in the world.  As we pass the first anniversary of its presence, however, its shortcomings for both privacy and tech development are increasingly debated.  A presentation at this year’s Black Hat Security Conference in Las Vegas, Nevada demonstrated how a GDPR data protection law could actually be used to invade the consumer privacy it is meant to protect.  Using dozens of “right of access” requests, Oxford-based researcher James Pavur found that he could access personal information—ranging from purchase histories, to credit card digits, to past and present home addresses—from several UK and US-based companies without even verifying his identity.

The EU’s expansive privacy regulation has also been critiqued for the limitations it poses on AI development, which relies heavily on (big) data.  Beyond its restrictions on the collection of user data, GDPR ensures that even if a company does collect personal data, its use for automated decision-making—a standard AI application—is limited.  Article 22 mandates that a user can opt out of automated processing, in which case the company must provide a human-reviewed alternative that obeys the user’s wishes.  When automation is used, it must be clearly explained to the user, and its application could still be punished for ambiguity or violating other regulations, making the use of AI a risky task for GDPR-compliant bodies.

Europe already lags behind the US and China by several measures of AI activity, including early-stage investment, scale, and diffusion.  AI remains a higher priority to executives in China and the US than to executives in several European countries.  North America is on average better poised for government AI readiness than Europe, with a potential risk for widening inequality between the regions ever possible.  If GDPR significantly stymies Europe’s AI presence, other countries could surge even further ahead to establish AI hegemony—an achievement that various world leaders have heralded as ensuring “quality of life,” “national competitiveness,” and even the ability to “rule the world.”

It may be impossible for the EU to redress its AI gap without regressing to weaker privacy practices.  But the approaches of its competitors in the US and China might offer some solutions to practitioners debating the tension between AI and privacy at large.

China is notorious for its surveillance state, one that AI is only strengthening.  Pervasive state-sponsored AI-powered facial and voice recognition technology is already being abused for racial profiling, and with a surveillance system expected to expand on the order of hundreds of millions of devices by 2020, the Chinese government is in the process of building unparalleled access to volumes of biometric data—a uniquely permanent class of personal data which, though invaluable to AI development, could pose a massive risk to privacy.  But with respect to its stance on data privacy, the country has been described as having a “split identity” because of its fledgling system for privacy protection.  The national standard Personal Information Security Specification, effective as of May 2018, established data protection benchmarks to increase users’ control over their data.  At the same time, by allowing implicit in addition to explicit consent to grant companies access to user data, the Chinese Standard maintains a corporate friendliness unrestricted by data chokeholds.  Although it’s largely too soon to tell—and the state’s history of censorship, surveillance, and other privacy and human rights abuses might suggest otherwise—some experts are optimistic that this will produce an environment that protects consumer privacy while also promoting AI research.

The US, similar to China, has found itself caught between conflicting ideals of privacy protection and at-all-costs tech progress, exemplified by Facebook’s slew of privacy smackdowns.  Their steady increase in federal spending on AI, accompanied by a recent executive order establishing the American AI Initiative, points to consensus on whether the country should pursue AI progress, but variation between state and federal laws suggest wide disagreements on the privacy front.  On one end of the US legal spectrum, no federal privacy law exists to govern the use or collection of consumer data.  On the other end, the California Consumer Privacy Act (CCPA) mirrors the GDPR’s stringent efforts to enhance users’ awareness of and control over the collection of their data, greatly restricting companies’ ability to collect identifiable data.  Its strictness creates many of the same problems for AI development evident in GDPR.  Opt-out capabilities force companies to establish manual review processes should users choose not to allow automatic data processing; the right to erasure allows users to eliminate all data a company holds about them, eradicating the capacity for “learning” that empowers AI in the first place; and the breadth of data protected by the CCPA makes collection of any kind of data difficult, as the collection of even distantly personal data could be fined if found non-compliant.  But a key difference in scope between the CCPA and the GDPR leaves a certain sector of organizations freer to conduct AI research—namely, public institutions and non-profit organizations, because the CCPA applies only to for-profit entities (“businesses”).

Europe, and clearly Estonia, hasn’t fallen hopelessly behind in the AI arms race.  As recently as May of this year, Oxford released their 2019 Government AI Readiness Index ranking the UK, Germany, and Finland among the top five countries best equipped to lead with AI.  And it may be possible for the EU to reform GDPR in a manner that maintains reasonable bounds on individual privacy without excessively limiting AI diffusion, for example by depenalizing automated decision-making (Article 22), loosening transparency requirements for data processing (Article 5), or explicitly expanding AI-related applications of data processing (Article 6).  But until that happens, scholars and policymakers need to keep discussing what changes—or compromises—Europe can make to ensure that Article 22 doesn’t become a catch-22 preventing the EU from keeping up with the rapid pace of global AI development.