GDPR Compliance in the Age of Robots

As we approach the May 2018 implementation deadline for compliance with the EU’s General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), I cannot help but wonder what compliance with privacy and data protection laws and regulations will look like in an age of increasing automation and intelligent machines. Specifically, I’ve been thinking about how emerging technologies like artificial intelligence (AI), machine learning, deep learning, and blockchain and other distributed ledger technologies (DLT) will transform, and potentially even outpace, attempts at compliance. Whereas compliance in the age of big data has traditionally focused on quantitative challenges, these technologies will present qualitatively new challenges for complying with laws like the GDPR.

Take, for example, the right of access (and the related notion of transparency), a foundational and essential element of nearly all data protection schemes and fair information privacy practices worldwide. Article 15 of the GDPR enshrines this right of access and stipulates the information to be provided to a data subject requesting access to his or her data, including “the existence of automated decision-making, including profiling . . . and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.” Moreover, Article 12 of the GDPR requires a data controller to provide information requested by a data subject in a “concise, transparent, intelligible and easily accessible form, using clear and plain language.” Finally, in the context of automated decision-making, Article 22 provides that the data subject must have “at least the right to obtain human intervention on the part of the data controller, to express his or her point of view and to contest the decision.”

While access rights are not a new concept, giving them effect may be increasingly complicated in the face of emerging technologies that manage our personal data. For example, how will data controllers provide data subjects with “meaningful information about the logic involved” in technology products and services that depend on complex algorithms, advanced cryptography, and things that technologists and computer scientists themselves cannot even explain, as in the case of deep neural networks (DNNs) and other deep learning tools that teach themselves? And, even if they were able to explain how these technologies work, how will data controllers provide the information in “clear and plain language” as required by the GDPR? Will a domain-specific language be enough? Or does the solution lie in a totally new paradigm for data ownership and another emerging technology like blockchain where the concepts of “data controller” and “data subject” may be rendered meaningless? Finally, how will we give effect to the human intervention requirement in an age of AI and robots?

These are just some of the questions I’ll be exploring in the lead up to May 2018.