Some points of the EDPB-EDPS joint opinion on the AIR
– Recommendation to clarify in art 1 AIR the applicability of the GDPR to AI systems (AIS) that process personal data (I think it goes without saying)
– They welcome the risk-based approach.
But they consider
— AIR leaves out the risks for groups of individuals or the society as a whole
— the concept of ‘risk to fundamental rights’ should be aligned with the GDRP
— the lack of reference to individual rights in the AIR is a blindspot
— some AIS that poses serious risks are not included among the HRAIS listed in Annex II and III (v.gr. AIS for determining insurance premiums or for assessing medical treatments or health research)
— providers of AIS may not always evaluate all possible uses of an AIS. Hence it may be possible that the initial risk assessment carried out by the provider does not label an AIS as HRAIS, but a subsequent more detailed evaluation (DPIA) should be carried out by the user of the AIS (as a controller)
— HRAIS processing personal data trigger a presumption of ‘high-risk’ under the GDPR
— CE marking under the AIR does not imply that the processing operations are lawful under the GDPR
— compliance with GDPR should be a precondition to being allowed to enter into EU market as CE.
— Steps: Risk assessment by the provider of the AIS (considering the use-case), auditing by a third party before CE marking, and the DPIA carried out by the user considering the use-case, the specific context of use, and the third-party audit.
They suggest the prohibition of:
— any type of social scoring (not only by PA or on their behalf)
— automated recognition of human features in publicly accessible areas, including large-scale remote identification in online spaces
— biometric categorisation of individuals into clusters (ethnicity, gender)
— prediction of criminal offences based on personality or past criminal behaviour
— emotion inferencing (except for health or research purposes)
HRIAS
– propose 3P conformity assessment to all HRAIS (AIR only requires it for RBI, art. 43)
– requirement that all AIS systems already in operation comply with AIR (not only those entered into the market after the entry into force of AI, art. 83)
Governance
– designation of DPA as the AIR national supervisory authorities (art. 59 AIR) to ensure a harmonised approach and consistent interpretation of data protection provisions
Interaction with data protection framework
– Individual rights must be expressly included in the AIR
– DS should be informed when their personal data is used for AI training or prediction
– On transparency
— they welcome the creation of the registry of HRAIS (I’d would argue that the register is of limited use for end-users or individuals)
— the AIR should promote new, more proactive and timely manners to inform users of AIS on the decision-making status, providing early warning of potential harmful effects
— right to explanation as an enhanced transparency measure
Compliance
– the certification mechanism established in the AIR is not aligned with the GDPR certification scheme and it could create legal uncertainties (e.g. AIS certified under AIR and CE marked, but once placed into the marked may not be GDPR compliant)
– the AIR should include data minimisation and DP by design before obtaining the CE marking
– they recommend clarify the relationship between the AIR and the GDPR certification schemes, and the synergies between the codes of conduct regulated in the AIR (art. 69) and GDPR CoC
EDPB-EDPS Joint Opinion 5/2021 on the proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence here
0 comentarios