Monitor Prawniczy
no. 11/2024
Risks for personal data protection arising from AI systems, taking into account the AI Act and the decisions of EU data protection authorities
Autor jest Privacy Director EMEA i DPO w firmie Herbalife
Abstract
The purpose of this article is to present the risks for personal data protection that may result from the functioning of artificial intelligence (AI). The functioning of AI, which processes personal data, may cause risks to their protection, such as doubts as to the basis of processing for the purposes of training AI models (principle of legality), non-compliance with regularity principles, minimization, transparency, the requirement to ensure the right to data access, e.g. in order to correct them, and if non-compliance would be systemic - as a consequence also with the principle of privacy by design. This applies to systems operating not on specific closed data sets, but on big data and operating these resources within the machine learning mechanism. Therefore these risks can be eliminated, they can be under control, e.g. in the case of a user (deployer) that implements an AI system over which he has control, and ensures supervision over the extent of data.
Maintaining compliance of AI systems processing personal data with the GDPR, if they are systems operating not on specific closed data sets (e.g. owned by a company implementing an AI system based on its own data, i.e. a user within the meaning of Art. 3.4 of the AI Act), but on big data, can be a challenge primarily because of contradicting the principle of data minimization. This principle, provided for the GDPR, requires data processing to the extent not exceeding the scope necessary to achieve the goal, which is possible in a set in which data can be verified and corrected by the administrator, though unrealistic in big data, in unlimited online resources powered from many sources. Minimization is one of the crucial principles of the GDPR, while the effectiveness of AI machine learning improves with the quantity of data. This is a fundamental contradiction between the nature of AI and personal data protection.
Keywords
Artificial Intelligence Act, AI, artificial intelligence, machine learning, risks and challenges for personal data protection arising from the functioning of AI, OpenAI, ChatGPT
Literature
M. Abrams, J. Abrams, P. Cullen, L. Goldstein, Information Accountability Foundation, Artificial Intelligence, „Ethics and Enhanced Data Stewardship” 20.9.2017 r.; L. Bell, Machine learning versus AI: what’s the difference?, Wired, 2.12.2016 r., http://www.wired.co.uk/article/machine-learning-ai-explained; B. Breczko, Siedzimy, rozmawiamy i myślimy, że to jest inteligentne. Może wcale nie różnimy się tak mocno od AI, wywiad z A. Mądrym, „Gazeta Wyborcza” 15.3.2024 r., https://wyborcza.biz/biznes/7,177150,30794128,prof-madry-siedzimy-rozmawiamy-i-myslimy-ze-to-jest-inteligentne.html; I. Chomiak-Orsa, B. Mrozek, Główne perspektywy wykorzystania big data w mediach społecznościowych, „Informatyka Ekonomiczna” Nr 3(45)/2017, DOI: 10.15611/ie.2017.3.04, s. 47; Garante per la protezione dei dati personali, decyzja z dnia 30.3.2023 [9870832], https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9870832; Garante per la protezione dei dati personali, decyzja z dnia 12.4.2023, https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9874751#english; N. Grant, Google Chatbot’s A.I. Images Put People of Color in Nazi-Era Uniforms, „The New Yor Times” 22.2.2024 r., https://www.nytimes.com/2024/02/22/technology/google-gemini-german-uniforms.html; M.M. Grynbaum, R. Mac, The Times Sues OpenAI and Microsoft Over A.I. Use of Copyrighted Work, 27.12.2023, https://www.nytimes.com/2023/12/27/business/media/new-york-times-open-ai-microsoft-lawsuit.html; Europejska Rada Ochrony Danych, EROD rozstrzyga spór dotyczący przekazywania danych przez Meta IE i tworzy grupę zadaniową ds. Chatu GPT, 13.4.2023 r., https://www.edpb.europa.eu/news/news/2023/edpb-resolves-dispute-transfers-meta-and-creates-task-force-chat-gpt_pl; A. Lee, What is China’s social credit system and why is it controversial?, South China Morning, 9.8.2020 r.; D. Lubasz, Ochrona danych osobowych, Warszawa 2020; M. Namysłowska, R. Bieda, P. Budrewicz, D. Lubasz, M. Nowakowski, R. Pająk, M. Świerczyński, Z. Więckowski, I. Wochlik, M. Wróblewski, O etycznych, prawnych i społecznych konsekwencjach stosowania systemów sztucznej inteligencji w państwach członkowskich Unii Europejskiej. Uwagi na tle projektu rozporządzenia w sprawie sztucznej inteligencji, Przegląd Sejmowy Nr 6(179)/2023, DOI: https://doi.org/10.31268/PS.2023.219; Office of The High Commissioner For Human Rights, Submission to OHCHR by the Special Rapporteur on the right to privacy, in connection with the workshop on „the right to privacy in the digital age”, 8.6.2018 r., https://www.ohchr.org/sites/default/files/UN_SRP_Letter_to_OHCHR_8June.pdf; Office of the Victorian Information Commissioner, Artificial Intelligence and Privacy - Issues and Challenges, https://ovic.vic.gov.au/privacy/resources-for-organisations/artificial-intelligence-and-privacy-issues-and-challenges/#easy-footnote-bottom-5-22333, https://openai.com/policies/privacy-policy; Office of the Victorian Information Commissioner, Artificial Intelligence and Privacy - Issues and Challenges, https://ovic.vic.gov.au/privacy/resources-for-organisations/artificial-intelligence-and-privacy-issues-and-challenges/#easy-footnote-bottom-5-22333; A. Pantak, Koniec z trenowaniem sztucznej inteligencji. AI nie pożywi się danymi użytkowników Facebooka i Instagrama, „Gazeta Prawna” 19.6.2024 r., https://serwisy.gazetaprawna.pl/nowe-technologie/artykuly/9529475,koniec-z-trenowaniem-sztucznej-inteligencji-ai-nie-pozywi-sie-danymi.html; M. Rząca, Wymagania RODO w odniesieniu do systemu sztucznej inteligencji rozpoznawania twarzy w decyzjach organów nadzorczych dotyczących Clearview AI, dodatek do MoP Nr 11/2023; Stanford University, ‘Artificial Intelligence and Life in 2030’, One Hundred Year Study on Artificial Intelligence: Report of the 2015-2016 Study Panel, Section III: Prospects and Recommendations for Public Policy, wrzesień 2016, http://ai100.stanford.edu/2016-report; The UK Information Commissioner’s Office (ICO), Big Data, artificial intelligence, machine learning and data protection, 2017, https://ico.org.uk/media/for-organisations/documents/2013559/big-data-ai-ml-and-data-protection.pdf; Urząd Ochrony Danych Osobowych, Technologia musi być zgodna z RODO, 20.9.2023 r., https://uodo.gov.pl/pl/138/2823; https://sjp.pwn.pl/slowniki/opinia.
