The AI Conundrum: Governance and Supervision

Wojciech Wiewiórowski

If you believe everything you read in the papers or see in films, artificial intelligence (AI) is either going to be the saviour or the downfall of the world as we know it. While we’re not yet witnessing either extreme, it is not under dispute that the various applications of AI raise a number of challenges for those defending the rights and freedoms of individuals.

The explosion of meetings, conferences and discussions in the EU and beyond on fairness, non-discriminatory treatment, explainability, due process, or the cumulative negative effects linked to the inherent characteristics of such technologies all hope to solve the AI puzzle. What isn’t being discussed as much is the role of Data Protection Authorities (DPAs) and how to supervise AI.

To the many questions being asked, the EDPS adds another: how can data protection authorities confront the multi-faceted impact of AI technologies on human rights?

Collective intelligence

To help us look for answers, on 21 January, the EDPS gathered 40 representatives from Data Protection Authorities, NGOs, academia, EUIs and the private sector to an interactive meeting. The format of the World Café, which is becoming a bit of a tradition at the EDPS, brought forward a variety of perspectives and ideas on how to prepare for the challenges of AI supervision.

The debate continued on 23 January at the Computers, Privacy and Data Protection Conference, in the more traditional format of a panel of four speakers, who shared their experiences of introducing innovative approaches to regulate or supervise AI: Reuben Binns (ICO) introduced the ICO AI Auditing framework and the concept of regulatory sandboxes; Marit Hansen (Privacy Commissioner of Schleswig-Holstein/Chief of Unabhängiges Landeszentrum für Datenschutz) explained the proposal of the German Data Ethics Commission for AI systems categorisation; Joni Komulainen (Finnish Ministry of Health) presented Findata, a Finnish law regulating secondary uses of social, health and socio-economic data for the purposes of research and development, including AI; Olivier Micol (DG Just) offered an overview of the suitability of the GDPR to regulate AI.

Expertise, values and collaboration

Despite the EDPS’ past successes with the World Café format, the result of the discussions in January exceeded all our expectations. The overarching belief of the participants is that the protection of our democratic values, risk analysis and collaboration should underline the action of any DPA.

Participants continue to view DPAs as key in ensuring individuals are afforded fair treatment:

1) DPAs are experts who clarify how data protection laws protect individuals;
2) They ensure that the responsible entity is clearly identified and held accountable for the algorithms they produce;
3) DPAs should collaborate with other stakeholders to share expertise, to provide guidance or to carry out joint enforcement actions.

What’s next?

The encouraging results of these two events has inspired us to continue the discussion, which is why  we will further analyse the challenges posed by AI during an expert workshop on AI and on facial recognition on 13 February 2020. In addition, we will launch a survey to map the use of AI by EU Institutions.

Moreover, we will take heed of the sage advice from the World Cafe and reach out to other supervisory authorities and stakeholders to collaborate with them, as the EDPS has already done in previous initiatives such as the Digital Clearing House and The Hague Forum.