AI Training Datasets & Article 14 GDPR
A Risk Assessment for the Proportionality Exemption of the Obligation to Provide Information
DOI :
https://doi.org/10.26512/lstr.v13i2.36253Mots-clés :
AI. GDPR. Article 14. Risk-Assessment. Transparency.Résumé
[Purpose] At the earliest stages in AI lifecycle, training, verification and validation of machine learning and deep learning algorithm require vast datasets that usually contain personal data, which however is not obtained directly from the data subject, while very often the controller is not in a position to identify the data subjects or such identification may result to disproportionate effort. This situation raises the question on how the controller can comply with its obligation to provide information for the processing to the data subjects, especially when proving the information notice is impossible or requires a disproportionate effort. There is little to no guidance on the matter. The purpose of this paper is to address this gap by designing a clear risk-assessment methodology that can be followed by controllers when providing information to the data subjects is impossible or requires a disproportionate effort.
[Methodology] After examining the scope of the transparency principle, Article 14 and its proportionality exemption in the training and verification stage of machine learning and deep learning algorithms following a doctrinal analysis, we assess whether already existing tools and methodologies can be adapted to accommodate the GDPR requirement of carrying a balancing test, in conjunction with, or independently of a DPIA.
[Findings] Based on an interdisciplinary analysis, comprising theoretical and descriptive material from a legal and technological point of view, we propose a risk-assessment methodology as well as a series of risk-mitigating measures to ensure the protection of the data subject's rights and legitimate interests while fostering the uptake of the technology.
[Practical Implications] The proposed balancing exercise and additional measures are designed to facilitate entities training or developing AI, especially SMEs, within and outside of the EEA, that wish to ensure and showcase the data protection compliance of their AI-based solutions.
Références
AEPD. Audit Requirements for Persohnal Data Processing Activities Involving AI. Agencia Española Protección Datos, 2021.
AIHLEG. The Assessment List for Trustworthy Artificial Intelligence (ALTAI) for self-assessment. High-Level Expert Group on Artificial Intelligence, 2020.
BALDWIN, R.; CAVE, M.; LODGE, M. (Eds.). The Oxford Handbook of Regulation. Oxford: Oxford University Press, 2010.
BÖCKENFÖRDE, E.-W. Escritos sobre derechos fundamentales. Tradução de Juan Luis Requejo Pagés e Ignacio Villaverde Menéndez. Baden-Baden: Nomos, 1993.
CABRAL, T. S. AI and the Right to Explanation: Three Legal Bases under the GDPR. In: HALLINAN; LEENES; DE HERT Data Protection and Privacy: Data Protection and Artificial Intelligence. Oxford, UK: Hart Publishing, 2021.
CARLSSON, U. The Rise and Fall of NWICO: From a Vision of International Regulation to a Reality of Multilevel Governance. Nordicom Review, v. 2, p. 31-68, 2003.
EDPB. Guidelines 4/2019 on Article 25 Data Protection by Design and by Defualt. European Data Protection Board, 2020.
EDPB. Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. European Data Protectin Board, 2020.
ENISA. Recommendations for a methodology of the assessment of severity of personal data breaches, Working Document. European Union Agency for Network and Information Security, 2013.
ENISA. Pseudonymisation techniques and best practices: Recommendation on shaping technology according to data protection and privacy provisions. European Union Agency for Network and Information Security. Athens, Greece, 2019.
ENISA. Data Pseudonymisation: Advanced Techniques and Use Cases. European Union Agency for Network and Information Security. [s.l.]. Athens, Greece, 2021.
ERK, J. Austria: A Federation without Federalism. Publius, v. 34, n. 1, p. 1-20, 2004.
FRA. Handbook on European data protection law. European Union Agency for Fundamental Rights, 2018.
GEORGIEVA, L. Article 11 Processing which does not require identification. In: KUNER, et al. The EU General Data Protection Regulation (GDPR) – A commentary. Oxford, UK: Oxford University Press, p. 391-397, 2020.
HÄBERLE, P. Die Wesensgehaltgarantie des Art. 19 Abs. 2 Grundgesetz. Karlsruhe: C.F.Müller, 1962.
HUMBOLDT, W. V. On Language: On the Diversity of Human Language Construction and its Influence on the Mental Development of the Human Species. Tradução de Peter Heath. Cambridge: Cambridge University Press, 1999.
ICO. Guide to the General Data Protection Regulation (GDPR). Information Commissioner's Office, 2018.
KINDYLIDI, I. Smart Companies: Company & board members liability in the age of AI. UNIO – EU Law Journal, v. v. 6, n. n. 1, p. 115-141, 2020.
KROLL et al. Accountable Algorithms. University of Pennsylvania Law Review, v. 165, 2017.
LEVY, B.; SPILLER, P. Regulations, Institutions and Commitment. Cambridge: Cambridge University Press, 1996.
LUHMANN, N. Law as a Social System. Tradução de Klaus A. Ziegert. Oxford: Oxford University Press, 2004.
MALGIERI; COMANDÉ. Why a Right to Legibility of Automated Decision-Making Exists in the General Data Protection Regulation. International Data Privacy Law, v. 7, n. 3, 2017.
PRICE, M. E.; NOLL, R. G. A Communications Cornucopia: Markle Foundation Essays on Information Policy. Washington, DC: Brookings Institution Press, 1998.
ROSE-ACKERMAN, S.; LINDSETH, P. L. (Eds.). Comparative Administrative Law. Cheltenham, UK: Edward Elgar, 2010.
SARTOR, G.; LAGIOLA, F. The impact of the General Data Protection Regulation (GDPR) on artificial intelligence. European Parliamentary Research Service - Scientific Foresight Unit (STOA) - Panel for the Future of Science and Technology, 2020.
WACHTER; MITTELSTADT; FLORIDI. Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation. International Data Privacy Law, v. 7, n. 3, 2017.
WP29. Opinion 03/2013 on purpose limitation. Article 29 Data Protection Working Party, 2013.
WP29. Guidelines on Data Protection Officers ('DPOs'). Article 29 Data Protection Working Party, 2016.
WP29. Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679. Article 29 Data Protection Working Party, p. 22. 2017.
WP29. Guidelines on transparency under Regulation 2016/679. Article 29 Data Protection Working Party, 2017.
WP29. Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679. Article 29 Data Protection Working Party, 2018.
WP29. Guidelines on Personal data breach notification under Regulation 2016/679. Article 29 Data Protection Working Party, 2018.
ZANFIR-FORTUNA, G. Article 13. Information to be provided where perosnal data are collected from the data subject. In: KUNER, et al. The EU General Data Protection Regulation (GDPR) – A Commentary. Oxford, UK: Oxford University Press, p. 413-433, 2020.
ZANFIR-FORTUNA, G. Article 14. Information to be provided where personal data have not been obtained from the data subject. In: KUNER, et al. The EU General Data Protection Regulation (GDPR) – A Commentary. Oxford, UK: Oxford University Press, p. 434-448, 2020.
Téléchargements
Publié
Numéro
Rubrique
Licence
© Law, State and Telecommunications Review 2021
Cette œuvre est sous licence Creative Commons Attribution 4.0 International.
By submitting this paper to the Law, State and Telecommunications Review,
I hereby declare that I agree to the terms of the Creative Commons Attribution 4.0 International (CC BY 4.0).