大多数全球最大的博彩平台人工智能的评论都着眼于大局或未来的工作, but in this article we look at some practical data protection implications for businesses that are considering implementing AI systems.
1. 自动化决策
There are specific rules in both the EU 和 UK GDPR (in this article we will refer to both together) covering individuals’ rights when processing involves solely automated decision-making, 包括分析. These specify what information businesses must provide to individuals about the automated decision-making (often done with a privacy notice) 和 their rights in relation to any automated decisions made about them (e.g., the right to challenge a decision or the right not to be subject to automated decisions which have a significant impact on them).
The GDPR states that businesses will need to provide individuals with “meaningful information about the logic involved, 以及这种处理的意义和设想的后果.” This can be challenging given the complexities of AI algorithms 和 any meaningful information may not even be underst和able to individuals in the first place. 然而, regulators do not expect businesses to provide a complex explanation of how the AI system works. 而不是, the information provided should be sufficiently comprehensive for the individual to underst和 the reasoning behind the automated decision.
除了, the GDPR requires businesses to implement suitable safeguards when processing personal data to make solely automated decisions. 其中最重要的是有意义的人为干预. 企业必须, 因此, ensure that they have appropriate procedures in place to support meaningful human review of any AI generated automated decisions. This will include designing a system 和 developing a training programme which will allow employees to address, 升级和, 如果需要, 覆盖自动决策.
2. 资料保护影响评估
在很多情况下, the use of an AI system by a business will trigger the need for a data protection impact assessment (DPIA) to help identify 和 minimise the data protection risks associated with the project. A DPIA is m和atory if the type of processing is likely to result in a high risk to the rights 和 freedoms of individuals, 这是许多人工智能系统可能达到的门槛. 事实上, both the UK 和 EU regulators have published guidance that states that in the vast majority of cases the implementation of AI technology will trigger the need for a DPIA.
It is also worth remembering that businesses may need to consult a data protection supervisory authority prior to any processing where the DPIA indicates that the processing undertaken by the AI systems would result in a high risk to individuals, 但这些风险无法减轻.
3. 数据最小化
大量数据的使用是人工智能系统开发和使用的核心, 对GDPR的数据最小化原则进行测试,其中包括个人数据. Businesses will need to think of ways of ensuring they only process personal data that is ‘adequate, 与开发和操作人工智能系统所必需的相关和有限的东西.
为了实现这个目标, the business should implement data minimisation practices 和 procedures from the very outset of the AI system design phase. 另外, 在人工智能系统由第三方提供或操作的情况下, the business should factor in data minimisation as part of the procurement process (see 卖方尽职调查 below).
因为人工智能系统的训练需要大量的数据, the French supervisory authority has commented that it may be possible for a business to use fictitious data with the same value as real data but not linked to an individual person. 此合成资料不构成个人资料. 然而, there are limitations to the use of synthetic data given that it may provide self-reinforcing results. There are also potential copyright risks with using synthetic data to train AI systems (which is likely to increase if the draft EU AI Act comes into force).
4. 透明度
The transparency requirements of the GDPR create a number of overarching legal obligations for how a business makes public its collection 和 use of personal data. 履行这一义务, the GDPR sets out the information that an individual must be provided with depending on whether the personal data has been directly collected from that individual, 或者用其他方法(e).g. 使用来自第三方的数据列表). A privacy notice is the most common way that businesses provide clear 和 detailed information to individuals about what they are doing with personal data.
作为设计, 人工智能系统的培训和实施将产生一种新的处理形式, 企业将需要更新其隐私声明,以反映这种新的处理活动, 同时提供有关此处理的目的和合法依据的信息.
5. 卖方尽职调查
对大多数企业来说, 人工智能系统很可能由第三方提供, 这意味着供应商尽职调查将在决定是否实施方面发挥关键作用, developing 和 maintaining a third-party AI system will comply with the business’s GDPR obligations. If during the due diligence process the third-party vendor fails to satisfy queries raised about its compliance with the GDPR, then the business may have to opt for a different solution or offset the risk in its terms of business.
另外, as new legislation (such as the upcoming EU AI Act 和 UK Data Protection 和 Digital Information (No.2)比尔进来了, 以及在人工智能系统部署过程中出现的新的合规性考虑, 企业应定期对第三方的服务进行审核, 在必要时, modify the terms of the service or switch to another provider if the AI system is no longer compliant with the GDPR. Continuous diligence is crucial for businesses to demonstrate they are complying with their accountability 和 governance obligations under the GDPR.
有用的监管指引:
- 资讯专员办事处(ICO): “解释人工智能做出的决定” 和 “人工智能对问责制和治理的影响是什么?’
- CNIL(法国数据监管机构): “人工智能:确保GDPR合规”
新的指南会定期发布,所以你一定要留意一下!
