There’s hardly a day goes by without some news about the intersection of AI and the law. In a significant development this week Google has paused the rollout of its Bard AI chatbot in the EU after intervention by the Irish Data Protection Commission (DPC). The case shows that data protection authorities are willing to step in to regulate GDPR. It also shows that despite almost €4bn in GDPR fines to date GDPR is not just all about the money.
Google told the DPC of its plans to launch Bard in the EU in an attempt to rival other generative AI solutions including OpenAI’s ChatGPT. As we’ve said in our alerts over a number of years AI solutions are likely to require a Data Protection Impact Assessment (DPIA) to comply with GDPR. There’s more on that in our note from 2021 here https://www.corderycompliance.com/ai-and-gdpr-teaching-machines-fairness/.
In this case the DPC was concerned that no DPIA had been submitted for its approval. Google has said that it will engage with the DPC but it has suspended the launch. The DPC has said that it will engage with other EU authorities once it receives the documentation it has requested.
Is this the first time that this has happened?
No. The DPC previously intervened in a similar way after Facebook said that it was launching its online dating service in February 2020. That intervention led to Facebook missing the opportunity to launch and grow its online dating services during the pandemic – a loss of business that might be far more significant than any fine that the DPC could levy. You can read our note on that here https://www.corderycompliance.com/ireland-dpc-halts-fb-dating-service/.
We’ve also looked previously at the concerns expressed by the Italian DPA about chatbots in its investigations into ReplikaAI https://www.corderycompliance.com/italy-dpa-chatbot-0223/ & Chat GPT https://www.corderycompliance.com/it-dpa-chatgpt-0423-01/. Jonathan Armstrong spoke of these cases in a recent interview with ISMG here https://www.corderycompliance.com/ismg-cgpt-04-23-04/.
What can I do when developing AI?
We discussed some of the GDPR issues in AI in our alert in 2021. You can read that article here –https://www.corderycompliance.com/ai-and-gdpr-teaching-machines-fairness/
The tips that we gave then, remain sound:
- Consider AI in its proper context – whilst AI is moving forward at a rapid rate and its potential is massive, true AI is still a developing technology.
- Ensure your solution complies with data protection laws, and in time purpose-built AI legislation – existing data protection requirements will need to be complied with, such as the data protection principles of fairness, accountability, transparency and data subject rights, but watch this space for the EU’s new regulatory framework on AI.
- Do proper due diligence on any potential vendor or provider. Don’t be fooled by sales spiel and make sure that any solution you are being offered does what is being promised, is offered by a reputable supplier and addresses any compliance concerns.
- Keep on top of the available guidance – there is a high volume of guidance in this area, and expect more to come in future as this area develops further.
- Ensure that adequate safeguards are in place to protect people from biased or discriminatory decisions or outcomes – these should leverage the best aspects of both human and automated intelligence.
- Ensure that ethical considerations are given sufficient weight – just because you have the technical capability do something, does not necessarily mean that you should.
- Do a proper DPIA, consult with specialist lawyers as appropriate and build time into your development schedules to assess the risks properly.
There is more information about this and other data protection topics in Cordery’s GDPR Navigator subscription service. GDPR Navigator includes short films, straightforward guidance, checklists and regular conference calls to help you comply. More details are at www.bit.ly/gdprnav.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 347 2365|
Picture credit: DALL.E