5: AI & Data protection

Question 1

What are the different scopes of application?

Answer 1

• material scope of application: is it applicable to the situation I am dealing with?
• personal scope of application: who has to comply?
• territorial scope of application: do i have to comply?
  Ex. GDPR in the US, does this apply to me in Belgium
• temporal scope of application: when?
  Ex. i did something 10y ago, I noticed today that i needed to comply, is it still relevant

Question 2

Material scope of application GDPR?

Answer 2

Regulation applies to the processing of personal data
-> processing is any operation whether automated or not
-> personal data: any information relating to identified or identifiable natural person
=> identifiable: Ex. converting dynamic IP adress to static IP adress to individual internet user (=> dynamic IP adress = personal data)
=> natural person = living beings (so unborn and dead do not fall under (GDPR) <=> legal person: companies

Question 3

Can we avoid processing personal data when training a ML model?

Answer 3

Synthetic data as training set via generative adversarial networks (generator/discriminator):
NO,
* training a GAN still requires the processing of the original dataset that likely qualifies as personal data
* the quality of the generator and thus the synthetic data depends on the quality of the original dataset and the performance of the discriminator
=> potential risk of re-identification of synthetic datasets
==> fall under GDPR

Question 4

Personal scope of application GDPR?

Answer 4

Who has to comply:
GDPR applies to 2 actors:
1) controller: must comply to all principles and rules in the GDPR
=> natural/legal person/public authority which alone or jointly determines the purpose and means of the processing of the personal data (also possible to be joint controller)
2) processor: must only comply with specific obligations
=> natural/legal person/public authority which processes personal data on behalf of the controller

Question 5

What are the general principles in governing the processing of personal data?

Answer 5

1) Each processing must rely on a lawful ground => 6 lawful grounds
2) Transparency: controllers must inform data subjects
3) Purpose limitation
4) Data minimisation
5) Accuracy: personal data has to be accurate and up to date
6) Storage limitation: personal data can not be stored longer than necessary for the purposes for which they are processed

Question 6

What is lawfulness?

Answer 6

Each processing must rely on a lawful ground
=> 6 lawful grounds:
1) consent: safest option, for the consent to be valid:
* consent must be freely given: no negative consequences when it is not given
* specific: for well-defined operations
* informed
* unambiguous: positive action from the subject
=> controllers must be able o demonstrate consent
=> consent can be withdrawn at any time
2-5) other lawful grounds require the controller to perform a necessity test:
* processing personal data must be objectively necessary
* is not objectively necessary when: it is possible to achieve the purpose without processing or there is a less intrusive way to achieve the purpose
6) processing personal data out of legitimate interest of the controller
* often used as flexible solution
* only under strict conditions:
- legitimate interest
- necessity test
- balance between controllers interest and subjects interest and fundamental rights and freedoms

Question 7

What is purpose limitation?

Answer 7

Purpose limitation is divided into 2 subprinciples:
1) Purpose specification: everytime personal data is collected, you need to specify why the data is collected
2) Compatability assessment: personal data cannot be further processed in a manner that is incompatible with the purposes specified for the collection
=> if further processing is incompatible there is need for another lawful ground

Question 8

What is data minimisation?

Answer 8

Personal data has to be limited to what is necessary in relation to the purpose for which it has been collected
=> possible to achieve purpose without a specific piece of personal data?
=> possible to achieve the purpose with a less intrusive piece of personal data?
==> tension between data-hungry AI systems (collect first, think later) and privacy

Question 9

What are the rights of the subjects?

Answer 9

• Right of information
• Right of acces
• Right to retification
• Right to erasure
• Right to object
• Right to explanation

Question 10

Right of acces?

Answer 10

information must be made available by the controller to the subject upon request
* confirmation that data is being processed
* copy of personal data at stake
* information on purposes/recipients/…