How GDPR Restricts AI in Handling Personal Data: Managing Partner of Legal IT Group Explains How GDPR Restricts AI in Handling Personal Data: Managing Partner of Legal IT Group Explains

The General Data Protection Regulation (GDPR) came into effect on May 25, 2018. The GDPR is a regulation on data protection from the Council of the European Union that stipulates how legal entities should use personal data of all EU citizens. This refers to not only data processing and storage within the EU borders but also data export.

Article 25 of the GDPR contains the so-called Privacy by Design concept that stipulates technical requirements to systems that process personal data including for artificial intelligence.


How does Article 25 of theGDPR work in practice? Speaker of AI Conference Kyiv Anton Tarasiuk, Managing Partner of Legal IT Group, helped to get into this question.

Anton Tarasiuk is a Managing Partner of the company that provides legal support to IT projects and startups. Throughout over 6 years of legal practice, he has been successfully supporting a variety of contract relations in the field of IT services outsourcing for foreign contractors. He specializes in the legal support of Big Data projects.

The expert explained what “profiling” and “automated decision-making system” mentioned in the document mean, who owns the intellectual (or some other) property right to work results created by artificial intelligence, and in what cases the right of EU citizens and residents not to be subject to profiling and automated decision-making may have no force.

Privacy by design: GDPR in AI technologies

Today a great number of data-driven companies gladly use targeted advertising, remarketing, and the whole range of customer personal data to achieve their advertising goals.

Imagine that you enter a store in the shopping mall and receive a text message saying, “Welcome to our store, get your personal discount!” You feel puzzled and wonder whether someone is watching you. So, you rush to another store and get another similar text message. You throw your smartphone on the floor saying, “I guess I’m a paranoiac!” and at this moment you get a voice message, “Pills for you and your family!”

Frightening? It often happens that we give our consent for all these things. Consent for the use of personal data as a payment for the service, for personalized newsletters, and for the use of data about your puppy’s well-being. What does the GDPR say about it all and what it has to do with AI?

Profiling and automated decision-making

The GDPR warns about the discrimination risk when using profiling and automated decision-making systems in relation to the data subject.

Decisions that do not involve human participation are considered highly risky. It is even worse when the machine (AI) learns about vulnerabilities of a certain individual from the analysis findings and sends him or her the advertising that increases the chances of making a risky purchase thanks to that vulnerability.

What kind of a machine is that? Don’t we all have the right to use artificial intelligence technologies for processing personal data of Europeans? We can do that but reasonably and abiding by the rights of data subjects.

GDPR + AI = one love

1. When you get consent of data subjects as part of the GDPR, you have to inform that the subject can be classified as a certain group of individuals (as part of profiling), which can have consequences for him or her (you should specify which ones).

2. You should take additional consent (a standalone tick) if you put personal data of the subject in the black box of the super AI. In this case, you should explain the user in understandable terms that you will do this and what will happen next.

3. You should explain the logic of your AI to users. Data subjects should be aware of AI operating principles. “How to describe it all? We do not understand ourselves how this thing works,” you will say. I will say – using words, schemes, infographics, and slides.

This checklist is a good beginning. When you start working on making your AI project compliant with the GDPR, use a comprehensive approach – draw a data circulation map, understand the role of AI in this process, and basing on this information, draft documents and build the technical basis.

AI provides new opportunities, but you should not forget that you simply cannot throw the personal data of millions of people in the cooking pot without their consent and receive specific insights for specific case studies.

Is it possible in general? Yes, if everything takes place within the limits of the law.

Related news