Opinion of the EDPS on the Commission’s White Paper on Artificial Intelligence

What happened?

Earlier this year, the European Commission published a white paper on artificial intelligence “A European approach to excellence and trust” (“White Paper”) aimed at outlining and discussing the policy options on how to promote artificial intelligence (“AI”) while addressing the possible risks, such as discrimination or intrusion into our privates lives. In response, the European Data Protection Supervisor (“EDPS”) published an opinion on the White Paper (the “Opinion”)¹  providing its analysis from a data protection perspective.

Revised EU Law and GDPR compliant AI

The EDPS welcomes the Commission’s commitment to fundamental rights and values as well as its intention to comply with existing EU’s data protection legislation such as the General Data Protection Regulation (“GDPR”), notably through a revision of the legal framework. In response to the proposed regulatory framework aimed at addressing specifically AI concerns, the EDPS advocates for an inclusive approach, involving not only Member States but also EU institutions, agencies and bodies who are expected to respect the right to privacy and data protection.

Transparent processing and necessity for a clear assignment of roles and responsibilities

From a data protection perspective, the EDPS stresses that it remains crucial to opt for a clear assignment of roles and responsibilities for controllers and processors regarding the deployment of AI technologies. The roles may be difficult to assign, as AI technologies do not clearly identify the roles of controller and processor of AI technologies. A data protection impact assessment (“DPIA”) would be a useful tool to help allocated responsibilities.

What do AI technology developers have to expect?

An upcoming European regulatory framework for AI is expected to respect the general principles of Article 5 of the GDPR, namely the principles of lawfulness of processing, fairness and transparency; purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality as well as accountability of the controller.

Considering the potential risks associates to AI, the Opinion recommends that controllers must conduct a DPIA to determine whether AI applications should be considered high-risk or not. Controllers and processors of AI technologies must expect to be subject to conducting DPIAs, if a future AI regulatory framework will enter into effect.

Finally, if high-risks AI technology appear to be incompatible with the fundamental rights provided under the laws of the European Union, the EDPS will clearly consider a ban or prohibition of that technology.

A moratorium for biometric recognition technologies

Regarding specifically the deployment of automated recognition technologies of human features in public spaces, the EDPS endorses the idea of an EU-wide moratorium on such technologies involving faces, gait, fingerprints, DNA, voice, keystrokes recognition. A possible deployment of such technologies should only be considered if the appropriate safeguards are in place in the Member States of the EU concerned, including a comprehensive legal framework to guarantee the proportionality of the respective technologies and systems for the specific use case

What are the main remaining uncertainties?

Some elements still require clarification. The Opinion regrets the lack of a clear definition for AI that would serve as a scope of actions for any upcoming legislation.

The EDPS also notes some opacity in some types of AI applications related to human incapacity to explain the reasoning behind the AI application decision. The EDPS therefore suggest that transparent tests and audit procedures are used and suggests the need for a sound regulatory gap analysis in the impact assessment.

The deployment of AI technologies will certainly foster developers to new ventures. The latter must, however, make sure it complies with the principles laid down by current legislation and any upcoming regulatory framework safeguarding the fundamental rights of data subjects.

We take the opportunity of this news to refer to the following book edited by the International Technology Law Association: “Responsible AI: A Global Policy Framework”, ITechLaw Association, 2019.

At the time of writing this article, the book is available and open for public comment at https://www.itechlaw.org/ResponsibleAI.

Although members of our firm are members of the ITechLaw Association, the views and opinions in this book do not necessarily reflect the opinions of those individuals or of our law firm.