Abstract
Bots and AI have the potential to revolutionize the way that personal data is processed. Unlike processing performed by traditional methods, they have an unprecedented ability (and patience) to gather, analyze and combine information. However, the introduction of “smarter” computers does not always mean that the nature of the processing will change; often, the result will be substantially similar to processing by a human. We cannot, then, regulate processing by bots and AI as a sui generis concept. This chapter examines the different regulatory approaches that exist under the new General Data Protection Regulation (the GDPR )—the general regulatory approach (which treats all processing in the same way), the specific regulatory approach (which imposes specific rules for automated processing ) and the co-regulatory approach (where data controllers are required to analyze and mitigate the risks on their own). It then considers how these approaches interact and makes some recommendations for how they should be interpreted and implemented in the future.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation ) [2016] OJ L119/1.
- 2.
GDPR, Recital 15.
- 3.
Sartor (1993), p. 15.
- 4.
Russell and Norvig (2016), p. 2.
- 5.
See, e.g., Botnik’s chapter written in the style of Harry Potter. Available at: http://botnik.org/content/harry-potter.html. Accessed 3 January 2018.
- 6.
See, e.g., the Reddit bot AutoTLDR. Available at: https://www.reddit.com/r/autotldr/comments/31b9fm/faq_autotldr_bot/?st=j041su3v&sh=295425b7. Accessed 3 January 2018.
- 7.
Nwana (1996), Part 4.
- 8.
This conclusion was reached at the FRII Analysis Workshop held at Aalto University, Helsinki, Finland on 14 June 2017 and reinforced at the FRII Seminar held at the Hanken School of Economics, Helsinki, Finland on 11 September 2017.
- 9.
The GDPR, Recital 10.
- 10.
The GDPR, Recital 4.
- 11.
See, e.g., Maxwell (2015), pp. 212 et seq.
- 12.
C-582/14 Breyer v Bundesrepublik Deutschland (Second Chamber, 19 October 2016). Published in the electronic Report of Cases.
- 13.
C-582/14 Breyer v Bundesrepublik Deutschland, paras. 41–43.
- 14.
C-582/14 Breyer v Bundesrepublik Deutschland, para. 46.
- 15.
See, e.g., Googlebot. Available at: https://support.google.com/webmasters/answer/182072?hl=en. Accessed 26 November 2017.
- 16.
See, e.g., Mayer-Schönberger and Cuckier (2013), pp. 154 et seq.
- 17.
See, e.g., Council of the European Union (2014).
- 18.
See, e.g., Pearce (2015).
- 19.
See, e.g., Rubinstein (2013).
- 20.
- 21.
Pearce (2015), p. 151.
- 22.
One issue with such a bot is that it will require appropriate data security measures to, e.g., ensure that the removal of consent is actually coming from the relevant data subject . The depth of this security will depend on the nature of the data and the processing involved, but should be manageable in most scenarios.
- 23.
See, e.g., the MyData project. Available at: https://www.lvm.fi/documents/20181/859937/MyData-nordic-model/. Accessed 29 November 2017.
- 24.
For a wider discussion of this Article, see Kamarinou et al. (2016).
- 25.
- 26.
Article 29 Working Party (2017a), p. 10.
- 27.
Charter of Fundamental Rights of the European Union, Article 8.
- 28.
Article 29 Working Party (2018), p. 21.
- 29.
Article 29 Working Party (2017a), p. 11.
- 30.
See Footnote 28.
- 31.
See, e.g., Terms of Service: Didn’t Read. Available at: https://tosdr.org/. Accessed 3 January 2018; biggestlie.com. Available at: http://biggestlie.com/. Accessed 3 January 2018; and Obar and Oeldorf-Hirsch (2016).
- 32.
European Commission (1992), p. 26.
- 33.
Bygrave (2001), p. 26.
- 34.
Such a test could draw inspiration for the rules of judicial review in England and Wales: See Associated Provincial Picture Houses v Wednesbury Corporation [1948] 1 KB 223 and subsequent case law for more details.
- 35.
Article 29 Working Party (2018), p. 25.
- 36.
European Parliament (2011), p. 21.
- 37.
European Parliament (2011), p. 9.
- 38.
European Commission (2012), p. 9.
- 39.
Council of the European Union (2010).
- 40.
Council of the European Union (2010), p. 6.
- 41.
Binns (2017), p. 25.
- 42.
See Binns (2017).
- 43.
Parker (2007), pp. 14 and 98.
- 44.
See Information & Privacy Commissioner of Ontario (2013).
- 45.
Article 29 Working Party (2017b).
- 46.
Koops (2014), pp. 254–255.
- 47.
GDPR, Sect. 4.
- 48.
Koops (2014), p. 259.
- 49.
For a list of companies who have self-certified under the Privacy Shield, see https://www.privacyshield.gov/list Accessed 12 September 2017. For a list of companies who were self-certified under Safe Harbour, see https://www.export.gov/safeharbor_eu. Accessed 12 September 2017.
- 50.
See, e.g., https://www.iso.org/standards.html. Accessed 12 September 2017.
- 51.
- 52.
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L281/31.
- 53.
The GDPR, Recital 6.
- 54.
See, e.g., de Hert (2016), p. 464.
- 55.
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) [2002] OJ L201/37.
References
Article 29 Working Party. (2011). Opinion 15/2011 on the Definition of Consent.
Article 29 Working Party. (2017a). Guidelines on automated individual decision-making and profiling for the purposes of regulation 2016/679
Article 29 Working Party. (2017b). Guidelines on Data protection impact assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679
Article 29 Working Party. (2018). Guidelines on Automated individual decision-making and profiling for the purposes of regulation 2016/679 (revised).
Baraniuk, C. (2017). The ‘Creepy Facebook AI’ story that captivated the media. BBC News, August 1, 2017.
Binns, R. (2017). Data protection impact assessments: A meta-regulatory approach. International Data Privacy Law, 7(1), 22.
Bygrave, L. (2001). Automated profiling: Minding the machine: Article 15 of the EC data protection directive and automated profiling. Computer Law & Security Report, 17(1), 17.
Council of Europe. (2010). The protection of individuals with regard to automatic processing of personal data in the context of profiling: Recommendation CM/Rec(2010)13 and explanatory memorandum.
Council of the European Union. (2014). Right to be forgotten and the Google Judgment. Interinstitutional File 2012/0011 (COD).
de Hert, P. (2016). The future of privacy. Addressing singularities to identify bright-lines that speak to us. European Data Protection Law Review, 3(4), 461.
European Commission. (2012). Proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). COM(2012) 11 final.
European Parliament. (2011). Report on a comprehensive approach on personal data protection in the European Union 2011/2025(INI). A7-0244/2011.
Information & Privacy Commissioner of Ontario. (2013). Privacy by design. Available at: https://www.ipc.on.ca/resource/privacy-by-design/. Accessed December 8, 2017.
Kamarinou, D., Millard, C., & Singh, J. (2016). Machine learning with personal data. Queen Mary Legal Studies Research Paper 247/2016.
Koops, B. J. (2014). The trouble with European data protection law. International Data Privacy Law, 4(4), 250.
Leonard, P. (2014). Customer data analytics: Privacy settings for ‘big data’ businesses. International Data Privacy law, 4(1), 53.
Maxwell, W. (2015). Principles-based regulation of personal data: The case of ‘fair processing’. International Data Privacy Law, 5(3), 205.
Mayer-Schönberger, V., & Cukier, K. (2013). Big data: A revolution that will transform how we live, work and think. John Murray, Kindle edition.
Míšek, J. (2015). Consent to personal data processing—The Panacea or the dead end? Masaryk University Journal of Law & Tech, 8, 69.
Nwana, H. (1996). Software agents: An overview. Knowledge Engineering Review, 11(3), 1.
Obar, J., Oeldorf-Hirsch, A. (2016). The biggest lie on the internet: Ignoring the privacy policies and terms of service policies of social networking services. In TRPC 44 Conference on Communication, Information and Internet Policy, Virginia, 2016. Available at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2757465. Accessed January 3, 2018.
Parker, C. (2007). Meta-regulation: Legal accountability for corporate social responsibility. In D. McBarnet, A. Voiculescu, & T. Campbell (Eds.), The new corporate accountability: Corporate social responsibility and the law. Cambridge: Cambridge University Press.
Pearce, H. (2015). Online data transactions, consent and big data: Technological solutions to technological problems. Computer and Telecommunications Law Review, 21(6), 149.
Rubinstein, I. (2013). Big data: The end of privacy or a new beginning. International Data Privacy Law, 3(2), 74.
Russell, S., & Norvig, P. (2016). Artificial intelligence: A modern approach. Upper Saddle River, New Jersey: Pearson.
Sartor, G. (1993). Artificial intelligence and law: Legal philosophy and legal theory. Norweigian Research Centre for Computers and Law, CompLex 1/93, Tano, Oslo.
Acknowledgements
This chapter was written as part of the Future Regulation of Industrial Internet project at the IPR University Center, Helsinki. I wish to express my gratitude to Olli Pitkänen for comments on an earlier draft of this chapter.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Singapore Pte Ltd.
About this chapter
Cite this chapter
Wrigley, S. (2018). Taming Artificial Intelligence: “Bots,” the GDPR and Regulatory Approaches. In: Corrales, M., Fenwick, M., Forgó, N. (eds) Robotics, AI and the Future of Law. Perspectives in Law, Business and Innovation. Springer, Singapore. https://doi.org/10.1007/978-981-13-2874-9_8
Download citation
DOI: https://doi.org/10.1007/978-981-13-2874-9_8
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-13-2873-2
Online ISBN: 978-981-13-2874-9
eBook Packages: Law and CriminologyLaw and Criminology (R0)