The impact of Artificial Intelligence (AI) in everyday life raises a number of concerns from a data protection perspective. All such concerns will have to be considered carefully (also) taking into account the provisions of EU Regulation 2016/679, General Data Protection Regulation (GDPR).
Purposes of the personal data processing – The enhancement of AI systems entails a material issue with reference to the purposes of the data processing. This issue is directly connected with the “machine learning” features of an AI system (that is, the ability of an AI system to interact with the surrounding environment, to learn from the experience, and to address future behaviors based on such interactions and learnings.)
AI and machine learning features may cause the processing of personal data to be carried out in different ways and for different purposes than those for which it was originally set. This may result in the complete loss of control, by the data subjects, of their data. Any such loss of control is obviously against the principles of GDPR.
Legal basis of the processing of personal data – It is often difficult to identify the legal basis for the personal data processing, in addition to the general legal basis of the performance of a contract between the data controller and the data subject.
Express consent may not be appropriate always: It is hard to be obtained due to the general ways of operation of AI systems, but it is also “dangerous” from a data controller perspective, since the data subject can withdraw such consent at any moment, often creating operational issues that may not be managed by AI systems.
Legitimate interest may also be critical, as it requires a difficult balance between the rights of the data subjects and the legitimate interests of the data controller; there are no clear guidelines on how to carry out such balance.
Setting up the legal basis and purposes of the personal data processing remains one of the most important features to take into account when dealing with AI systems and related machine learning features.
Inferred data – This issue, often addressed with regard to IoT-based datasets, becomes even more relevant in an AI-based scenario. AI systems may allow to transform anonymous information into personal data, including special categories of personal data.
Audit and controls on AI systems – AI providers “reluctantly” allow audit and controls on their AI systems, even when such audits and controls are specifically required by GDPR provisions. Such reluctance is generally due to the complexity of (algorithms of) AI systems. This is also one of the main issues that has to be addressed from a contractual perspective (see here).