A lot has been said, and much has been discussed about the upcoming effects of GDPR – like how the organization is collecting the data and in what other ways they are making use of the data, and many more discussions are ongoing. Amongst these, all machine learning has become a key player and has gained traction amongst prominent role across organizations, and a key question is emerging and mystifying amongst regulators, researchers and lawyers alike; How will the GDPR impact on machine learning applications?
The GDPR in Few Lines
If you are actively living on this planet, then I am pretty sure that you must have heard about the Facebook and Cambridge Analytica Scandal and Mark’s statement on Facebook is making in response to European Union’s GDPR – General Data Protection Regulation. If you do not belong to Europe, then you would have heard the statement from U.S. Senator Brain Schatz that all the technology partners, as well as platforms, will adopt the EU approach for data protection.
GDPR is indeed a big deal, and since it has become a law in the European Union, it has undeniably improved the data protection for EU citizens and the people around the world. If your company belongs to EU or any other part of the world as long as you have EU citizens as users or customers and your process with their data, GDPR is very much relevant for your business.
So I am not an expert on EU law system. The opinions written in this blog are just a summary of my extensive research. I have tried my best to justify the subject and accurately present to you. As a mutually beneficial relationship builds on algorithms and human is not a technical problem; hence we are concerned about the social as well as legal aspects on algorithms. I am writing this article to make you understand about this concept that is hugely controversial and bring out more discussions on these significant issues.
Highlights and Article GDPR 22
GDPR is not limited to the businesses and enterprises with their headquarters set in EU, but it belongs to everyone out there whose data belongs EU citizen. The companies who will violate the regulation will have to bare penalty up to 20M or 4% of the global revenue, whichever is higher. GDPR is regulation, on the other hand, DPD is directive – a set of general rules. Regulation is similar to the national law; thus GDPR was enforced without any legislative procedure.
For more on EU GDPR refer the below image,
Right to the explanation
GDPR has introduced the “right to the explanation,” so what exactly is being granted in the Regulation.
GDPR Article 22 states that right to acquire human involvement on the part of the controller, to express his or her point of view to meet the decision”, on the other hand, a person has right not to be part of a decision that is based on automated processing.
GDPR has introduced “right to be informed,” and this is entirely different from the right to ask explanations and decisions made by algorithms. On the other hand, following Article 13 to 15 it gives personal liberty to access the data that’s been collected, and the right to know the purpose of collecting the data. It also includes the right to receive about algorithm, meaningful information and possible impact.
Full text of GDPR Article 13 Paragraph 2 (h)
Does the GDPR prohibit machine learning?
Technically the answer to this question appears to be yes. The GDPR does contain automated decision-making without human intervention and significant effects on data subjects. Significantly, GDPR applies to all uses of EU data that could identify a data subject in which data science programs make use of a large volume of data that GDPR will apply to almost all the activities.GDPR makes use of the term “automated decision-making,” the guideline is referring to any model that is involved in the decision directly. It could contain anything from the automated of a data subject like identifying 30 to 35-year-old females, a specific group of potential customers or to determine the applicant eligible for a direct loan or not. As a result, GDPR makes use of ML models without keeping human in the decision-making loop. If this is the case, then a huge of number of ML models are likely to prohibited by default
So why GDPR’s ban on Machine Learning is so misleading?
There are various expectations on the exclusion of the autonomous use of machine learning – prohibition is not a write word to use. GDPR is already in effect, and data scientists are expecting most applications of machine learning to be achievable.
A Bit More Detail to the Prohibition
The guideline classifies three areas where you can consider autonomous as legal:
- In the case of processing is contractual
- when it’s separately authorized by another law
- and when the data subject complies.
When a data subject explicitly permits the data to be used by a model – it’s a common way around this prevention. Top manage individual’s user consent is not secure. Users them self can approve too many diverse types of data processing and users hold the right to withdraw the consent at any time. So in a simpler term, approval needs to be dynamic and user-friendly, so data-subjects are empowered to understand how their data is being used and control over the use.
Therefore, GDPR does not prohibit the use of Machine Learning models. This is particularly pertinent to AI in the legal industry, where the most powerful use cases of machine learning make the management and deployment increasingly challenging.
Conclusion
I have only scratched the surface and GDPR’s potential impact on machine learning. There’s a lot to say about machine learning. As its relatively new and interesting field that will certainly not stop researchers in this area because of some fear at the moment. It should stop differentiation and unfair practices that are the only positive things. Consent is significantly a key, but in this case, it does not seem good enough. Transparency is indeed necessary and if you do use profiling or might make use of automated-decision making algorithms, ensure to respect all the necessities of the GDPR and considerably follow the rights of the data subject at first.