AI and GDPR: Safeguarding Personal Data in Today's Algorithm-Driven World

Lawyer Mihaela Murariu Discusses AI's Impact on Personal Data Protection at Grecu Partners

AI and GDPR: Safeguarding Personal Data in Today's Algorithm-Driven World

Artificial intelligence (AI) is taking over various sectors, from healthcare to marketing. Yet, AI's growing presence raises concerns about privacy and personal data protection. The General Data Protection Regulation (GDPR), a globally recognized European standard, plays a pivotal role in ensuring AI-based technologies respect individuals' fundamental rights.

nav

In an epoch where algorithms can swiftly process colossal amounts of data, striking a balance between innovation and adherence to legal norms is crucial. Is it feasible for companies to employ AI without breaching GDPR? What rights do individuals holding data being processed possess?

AI data processing requires a legal basis, as stated in Regulation 679/2016's Article 6. This can include explicit consent, legitimate interest, or contract execution. For instance, when AI systems personalize marketing messages, users must be well-informed about their data usage and offer explicit consent.

Ramping up AI models often involves handling vast volumes of personal data, raising privacy concerns. GDPR Article 9 prohibits the use of sensitive data (e.g., health information, ethnic origin, or political opinions) unless sanctioned by a legitimate reason. Moreover, data anonymization should be practiced to reduce risks. If a firm creates a facial recognition model utilizing images from public databases containing identifiable personal data, the company must anonymize the data or obtain individuals' consent.

Curbing the challenges associated with respecting data subjects' rights, as outlined in Articles 15-21 of GDPR, is essential. Individuals must have access to transparent information about their data handling processes and be able to request the deletion of their data from AI systems. Moreover, automated decisions transmitting significant impacts, like credit denial, must include human intervention to ensure fairness.

GDPR compliance adds to the AI technology development costs. Companies must engineer systems to minimize data collection (Privacy by Default) and integrate data protection from the design phase (Privacy by Design). Additionally, businesses must furnish documentation backing compliance. This demand presses AI application developers to design functionalities that collect only strictly necessary data for their objectives.

Regrettably, some companies have faced penalties for unjust AI use, like employing biometric data for facial recognition, considered an unacceptable risk under the AI regulation. Real-time biometric monitoring systems in public spaces are banned as they can significantly affect individuals' fundamental rights and freedoms. Assigning a social score influencing individuals' access to various public or private services might also lead to difficulties.

To remedy these issues, the "Artificial Intelligence Act" (AI Act) complements GDPR by setting clear rules for AI usage within the EU. The AI Act sorts AI applications based on risks and introduces stringent requirements for "high-risk" systems, such as facial recognition used by authorities, AI systems in healthcare, or automated recruitment systems, which must comply with both GDPR and AI Act provisions.

If you have any additional questions or require further information, please contact [email protected].

**This is Partner Content.**

(Illustration source: Data Protection © Wit Olszewski | Dreamstime.com)

Relevant Strategies for AI-Driven Data Processing Compliance

1. Automated Compliance Checks: Utilize AI monitoring tools like EQS Privacy Cockpit for real-time tracking of GDPR adherence, including data minimization and lawful basis verification.
2. Risk Management: Conduct Data Protection Impact Assessments (DPIAs) to identify risks in AI systems, particularly for high-risk AI applications under the EU AI Act.
3. Privacy by Design: Integrate data protection into AI development phases, such as anonymizing training data and limiting personal data collection.
4. Cross-Functional Governance: Foster collaboration among DPOs, legal teams, and technical experts to match AI systems with GDPR principles.
5. Documentation & Audits: Maintain detailed records of AI data processing activities to demonstrate compliance during regulatory reviews.

Rights of Individuals Under GDPR for AI-Processed Data

Individuals preserve the same GDPR rights for AI-processed data, including:

• Right to Access: Obtain confirmation about their data usage in AI systems.
• Right to Rectification: Correct inaccurate personal data impacting AI outputs.
• Right to Erasure: Request deletion of their data from AI models unless retention is legally justified.
• Right to Explanation: Receive clear information about automated decision-making processes.
• Right to Object: Opt out of profiling or automated decisions significantly impacting them.

1. Under the GDPR, companies must adhere to strict regulations when employing AI, balancing innovation with respect for legal norms, such as Article 6's requirement for a legal basis in data processing.
2. As large volumes of personal data are often handled in AI models, it is important to practice data anonymization to reduce privacy concerns, as outlined in Article 9, which prohibits the use of sensitive data without a legitimate reason.
3. To ensure compliance with the GDPR, businesses must engineer systems with Privacy by Default and Privacy by Design principles, collecting only strictly necessary data for their objectives, and integrate data protection from the design phase.
4. Individuals possess the same rights under the GDPR for AI-processed data, such as the Right to Access, Right to Rectification, Right to Erasure, Right to Explanation, and Right to Object, which allows them to opt out of profiling or automated decisions significantly impacting them.

Read also: