Most commentary around AI looks at the big picture or the future of work, 但在本文中,我们将介绍一些考虑实施人工智能系统的企业的实际数据保护含义.
1. Automated Decision-Making
在欧盟和英国的GDPR中(在本文中我们将同时提及两者)都有特定的规则,涵盖了当处理仅涉及自动决策时的个人权利, including profiling. 这些规定了企业必须向个人提供十大网博靠谱平台自动决策的哪些信息(通常与隐私通知一起完成),以及他们对有关他们的任何自动决策的权利.g., 对决定提出质疑的权利或不受对其有重大影响的自动决策的约束的权利).
GDPR规定,企业需要向个人提供“有关所涉及逻辑的有意义的信息”, as well as the significance and the envisaged consequences of such processing.“考虑到人工智能算法的复杂性,任何有意义的信息一开始都可能无法被个人理解,这可能是一项挑战. However, 监管机构并不期望企业对人工智能系统的工作原理提供复杂的解释. Instead, 所提供的信息应该足够全面,以便个人能够理解自动决策背后的原因.
In addition, GDPR要求企业在处理个人数据以做出完全自动化的决策时实施适当的保护措施. The most important of these is meaningful human intervention. Businesses must, therefore, 确保他们有适当的程序来支持对任何人工智能生成的自动决策进行有意义的人工审查. 这将包括设计一个系统和开发一个培训计划,使员工能够解决, escalate and, if required, override an automated decision.
2. Data Protection Impact Assessment
In many cases, 企业使用人工智能系统将触发对数据保护影响评估(DPIA)的需求,以帮助识别和最小化与项目相关的数据保护风险. 如果处理类型可能对个人的权利和自由造成高风险,则DPIA是强制性的, a threshold which many AI systems are likely to meet. In fact, 英国和欧盟监管机构都发布了指导意见,指出在绝大多数情况下,人工智能技术的实施将触发对DPIA的需求.
还值得记住的是,如果DPIA指出人工智能系统进行的处理会给个人带来高风险,那么企业可能需要在进行任何处理之前咨询数据保护监管机构, but those risks cannot be mitigated.
3. Data Minimisation
The use of large amounts of data is central to the development and use of AI systems, putting the GDPR’s data minimisation principle to the test where this includes personal data. 企业需要想办法确保他们只处理“足够”的个人数据, relevant and limited’ to what is necessary to develop and operate the AI system.
To achieve this, 企业应从人工智能系统设计阶段的一开始就实施数据最小化实践和程序. Additionally, to the extent that an AI system is provided or operated by a third party, 企业应将数据最小化作为采购流程的一部分考虑在内(参见下文的供应商尽职调查)。.
As the training of an AI system requires a large amount of data, 法国监管机构评论说,企业可能会使用与真实数据具有相同价值的虚构数据,但与个人无关. This synthetic data would not constitute personal data. However, 使用合成数据有其局限性,因为它可能提供自我强化的结果. 使用合成数据来训练人工智能系统也存在潜在的版权风险(如果欧盟人工智能法案草案生效,这种风险可能会增加)。.
4. Transparency
GDPR的透明度要求为企业如何公开其收集和使用个人数据创造了许多首要的法律义务. To meet this obligation, GDPR规定了必须向个人提供的信息,具体取决于个人数据是否直接从该个人收集, or by other means (e.g. using data lists from third parties). 隐私通知是企业向个人提供十大网博靠谱平台他们如何处理个人数据的清晰详细信息的最常见方式.
As the design, training and implementation of an AI system will result in a new form of processing, businesses will need to update their privacy notices to reflect this new processing activity, together with information about the purpose and lawful basis for this processing.
5. Vendor Due Diligence
For most businesses, an AI system is likely to be provided by a third party, which means vendor due diligence will play a crucial role in determining whether implementing, 开发和维护第三方人工智能系统将符合企业的GDPR义务. 如果在尽职调查过程中,第三方供应商未能满足有关其遵守GDPR的询问, 然后,企业可能不得不选择不同的解决方案或在其业务条款中抵消风险.
Additionally, 新立法(如即将出台的欧盟人工智能法案和英国数据保护和数字信息法案).2) Bill) comes in, and new compliance considerations arise during the course of an AI systems deployment, the business should undertake regular reviews of the third-party’s service and, where necessary, 如果人工智能系统不再符合GDPR,则修改服务条款或切换到其他提供商. 对于企业来说,持续的尽职调查对于证明他们遵守GDPR规定的问责制和治理义务至关重要.
Useful Regulatory Guidance:
- Information Commissioner’s Office (ICO): ‘Explaining decisions made with AI’ and ‘What are the accountability and governance implications of AI?’
- CNIL (French data regulator): ‘AI: ensuring GDPR Compliance’
New guidance is published regularly, so make sure you keep an eye out for it!
