Lilian Mitrou

DOI: https://doi.org/10.2139/ssrn.3386914

2018-01-01

SSRN Electronic Journal

Abstract:AI - in its interplay with Big Data, ambient intelligence, ubiquitous computing and cloud computing - augments the existing major, qualitative and quantitative, shift with regard to the processing of personal information. The questions that arise are of crucial importance both for the development of AI and the efficiency of data protection arsenal: Is the current legal framework AI-proof ? Are the data protection and privacy rules and principles adequate to deal with the challenges of AI or do we need to elaborate new principles to work alongside the advances of AI technology? Our research focuses on the assessment of GDPR that, however, does not specifically address AI, as the regulatory choice consisted more in what we perceive as “technology – independent legislation. The paper will give a critical overview and assessment of the provisions of GDPR that are relevant for the AI-environment, i.e. the scope of application, the legal grounds with emphasis on consent, the reach and applicability of data protection principles and the new (accountability) tools to enhance and ensure compliance.

Sean Sirur,Jason R. C. Nurse,Helena Webb,Jason R.C. Nurse

DOI: https://doi.org/10.48550/arXiv.1808.07338

2018-08-22

Computers and Society

Abstract:The EU General Data Protection Regulation (GDPR), enforced from 25th May 2018, aims to reform how organisations view and control the personal data of private EU citizens. The scope of GDPR is somewhat unprecedented: it regulates every aspect of personal data handling, includes hefty potential penalties for non-compliance, and can prosecute any company in the world that processes EU citizens' data. In this paper, we look behind the scenes to investigate the real challenges faced by organisations in engaging with the GDPR. This considers issues in working with the regulation, the implementation process, and how compliance is verified. Our research approach relies on literature but, more importantly, draws on detailed interviews with several organisations. Key findings include the fact that large organisations generally found GDPR compliance to be reasonable and doable. The same was found for small-to-medium organisations (SMEs/SMBs) that were highly security-oriented. SMEs with less focus on data protection struggled to make what they felt was a satisfactory attempt at compliance. The main issues faced in their compliance attempts emerged from: the sheer breadth of the regulation; questions around how to enact the qualitative recommendations of the regulation; and the need to map out the entirety of their complex data networks.

David Restrepo Amariles,Aurore Clément Troussel,Rajaa El Hamdani

DOI: https://doi.org/10.48550/arXiv.2012.12718

2020-12-23

Abstract:Most prominent research today addresses compliance with data protection laws through consumer-centric and public-regulatory approaches. We shift this perspective with the Privatech project to focus on corporations and law firms as agents of compliance. To comply with data protection laws, data processors must implement accountability measures to assess and document compliance in relation to both privacy documents and privacy practices. In this paper, we survey, on the one hand, current research on GDPR automation, and on the other hand, the operational challenges corporations face to comply with GDPR, and that may benefit from new forms of automation. We attempt to bridge the gap. We provide a roadmap for compliance assessment and generation by identifying compliance issues, breaking them down into tasks that can be addressed through machine learning and automation, and providing notes about related developments in the Privatech project.

Artificial Intelligence,Machine Learning

J. D. Bruyne,Arno Cuypers,Maja Nisevic

DOI: https://doi.org/10.1109/IJCNN60899.2024.10649994

2024-06-30

Abstract:This paper explores the potential complementarity and overlap between the Artificial Intelligence Act (AI Act) and the General Data Protection Regulation (GDPR), explicitly examining safeguarding individual interests in the context of explainable AI systems. The authors make two novel contributions. Firstly, the paper comprehensively outlines the rules for explainable AI as stipulated in the GDPR and the AI Act. Secondly, it delves into the interaction between these legal acts, thereby analysing the types of explanations recognised under both the AI Act and the GDPR, the interpretation of legal requirements, and the implications for high-risk AI systems through the lens of a right to an explanation. Additionally, this paper examines other emerging frameworks in the European Union (EU) that focus on protecting individuals while integrating AI systems into the EU market. The development and deployment of AI systems raise significant concerns regarding the necessity for additional regulatory frameworks within the EU's legal landscape. Consequently, this paper posits that legal requirements for explainable AI likely extend beyond the current GDPR and AI Act regulations, necessitating a broader application of legal rules relevant to a particular sector.

Law,Computer Science

Ze Shi Li,Colin Werner,Neil Ernst,Daniela Damian

DOI: https://doi.org/10.48550/arXiv.2002.06830

2020-02-17

Abstract:The enactment of the General Data Protection Regulation (GDPR) in 2018 forced any organization that collects and/or processes EU-based personal data to comply with stringent privacy regulations. Software organizations have struggled to achieve GDPR compliance both before and after the GDPR deadline. While some studies have relied on surveys or interviews to find general implications of the GDPR, there is a lack of in-depth studies that investigate compliance practices and compliance challenges of software organizations. In particular, there is no information on small and medium enterprises (SMEs), which represent the majority of organizations in the EU, nor on organizations that practice continuous integration. Using design science methodology, we conducted an in-depth study over the span of 20 months regarding GDPR compliance practices and challenges in collaboration with a small, startup organization. We first identified our collaborator's business problems and then iteratively developed two artifacts to address those problems: a set of operationalized GDPR principles, and an automated GDPR tool that tests those GDPR-derived privacy requirements. This design science approach resulted in four implications for research and for practice. For example, our research reveals that GDPR regulations can be partially operationalized and tested through automated means, which improves compliance practices, but more research is needed to create more efficient and effective means to disseminate and manage GDPR knowledge among software developers.

Software Engineering

Janos Meszaros,Jusaku Minari,Isabelle Huys

DOI: https://doi.org/10.3389/fgene.2022.927721

IF: 3.7

2022-10-05

Frontiers in Genetics

Abstract:Despite its promising future, the application of artificial intelligence (AI) and automated decision-making in healthcare services and medical research faces several legal and ethical hurdles. The European Union (EU) is tackling these issues with the existing legal framework and drafting new regulations, such as the proposed AI Act. The EU General Data Protection Regulation (GDPR) partly regulates AI systems, with rules on processing personal data and protecting data subjects against solely automated decision-making. In healthcare services, (automated) decisions are made more frequently and rapidly. However, medical research focuses on innovation and efficacy, with less direct decisions on individuals. Therefore, the GDPR's restrictions on solely automated decision-making apply mainly to healthcare services, and the rights of patients and research participants may significantly differ. The proposed AI Act introduced a risk-based approach to AI systems based on the principles of ethical AI. We analysed the complex connection between the GDPR and AI Act, highlighting the main issues and finding ways to harmonise the principles of data protection and ethical AI. The proposed AI Act may complement the GDPR in healthcare services and medical research. Although several years may pass before the AI Act comes into force, many of its goals will be realised before that.

genetics & heredity

Ani Munirah Mohammad,Nadia Nabila Mohd Saufi,Z. Hamin,Wan Rosalili Wan Rosli,Saslina Kamaruddin,M. B. Othman

DOI: https://doi.org/10.1109/ICDT57929.2023.10150615

2023-05-11

Abstract:AI is becoming increasingly important in cybersecurity. AI-based products detect risks and secure systems and data. Cybercriminals can use technology to launch more sophisticated attacks. AI-based security is in demand due to cyberattacks. With the adoption of AI technology, GDPR requires most countries to have legal measures to protect their citizens' data and privacy. Data protection and privacy issues arise when using AI technology. AI use must comply with GDPR, including obtaining consent for data processing, ensuring data accuracy, and giving individuals the right to access, correct, or delete their data. Organisations must also be transparent about how their AI makes decisions and not discriminate against individuals or groups. This study examines Malaysia's GDPR compliance on AI usage, data protection, and privacy in light of current concerns. This study analyses primary and secondary sources using doctrinal research. In 2022, Malaysia's banking, healthcare, and telecommunications sectors were hit by data breaches, indicating that AI is increasing data breaches. Thus, the government must examine citizen data protection and privacy concerns and re-examine its governance, including legal and regulatory mechanisms, to see if it conforms to international norms and consider reforms.

Computer Science,Law

Maria Milossi,Eugenia Alexandropoulou-Egyptiadou,Konstantinos E. Psannis

DOI: https://doi.org/10.1109/access.2021.3072782

IF: 3.9

2021-01-01

IEEE Access

Abstract:Artificial Intelligence (AI) refers to systems designed by humans, interpreting the already collected data and deciding the best action to take, according to the pre-defined parameters, in order to achieve the given goal. Designing, trial and error while using AI, brought ethics to the center of the dialogue between tech giants, enterprises, academic institutions as well as policymakers. Ethical challenges in AI brought ethical AI framework in place in an attempt to regulate people's lives and interactions, used for the benefit of society, for the human rights' protection as well as for the respect of individual's privacy and autonomy. The paper aims to summarize and critically evaluate the basic principles for the use of AI, with emphasis to the General Data Protection Regulation's (GDPR) approach, concerning data subject's consent, data protection principles and data subject's rights in a context of 'privacy by design' architecture.

computer science, information systems,telecommunications,engineering, electrical & electronic

Iakovina Kindylidi,Inês Antas de Barros

DOI: https://doi.org/10.26512/lstr.v13i2.36253

2021-09-07

Abstract:[Purpose] At the earliest stages in AI lifecycle, training, verification and validation of machine learning and deep learning algorithm require vast datasets that usually contain personal data, which however is not obtained directly from the data subject, while very often the controller is not in a position to identify the data subjects or such identification may result to disproportionate effort. This situation raises the question on how the controller can comply with its obligation to provide information for the processing to the data subjects, especially when proving the information notice is impossible or requires a disproportionate effort. There is little to no guidance on the matter. The purpose of this paper is to address this gap by designing a clear risk-assessment methodology that can be followed by controllers when providing information to the data subjects is impossible or requires a disproportionate effort. [Methodology] After examining the scope of the transparency principle, Article 14 and its proportionality exemption in the training and verification stage of machine learning and deep learning algorithms following a doctrinal analysis, we assess whether already existing tools and methodologies can be adapted to accommodate the GDPR requirement of carrying a balancing test, in conjunction with, or independently of a DPIA. [Findings] Based on an interdisciplinary analysis, comprising theoretical and descriptive material from a legal and technological point of view, we propose a risk-assessment methodology as well as a series of risk-mitigating measures to ensure the protection of the data subject's rights and legitimate interests while fostering the uptake of the technology. [Practical Implications] The proposed balancing exercise and additional measures are designed to facilitate entities training or developing AI, especially SMEs, within and outside of the EEA, that wish to ensure and showcase the data protection compliance of their AI-based solutions.

Trudy-Ann Campbell,Samson Eromonsei,Olusegun Afolabi

DOI: https://doi.org/10.30574/wjaets.2024.12.2.0317

2024-07-30

World Journal of Advanced Engineering Technology and Sciences

Abstract:Ensuring compliance with the General Data Protection Regulation (GDPR) presents significant challenges for organizations, especially those developing web and mobile applications. This study investigates the use of automation to enhance GDPR compliance by generating privacy policy captions through static code analysis and deep learning models. Privacy policy captions offer concise, user-friendly summaries of data processing practices, improving transparency and user trust. The research combines qualitative and quantitative methodologies, including static code analysis of application source codes and the application of neural machine translation models to generate privacy policy captions. Findings indicate that automation can effectively produce accurate, consistent, and comprehensible privacy policy captions that align with GDPR requirements. However, limitations such as tool capabilities, dataset diversity, and user testing scale highlight areas for future research. This study provides practical guidelines for implementing automated privacy policy captions, emphasizing the importance of continuous monitoring and updates to maintain compliance. By leveraging automation, organizations can enhance their data protection practices, build user trust, and achieve efficient GDPR compliance.

Orlando Amaral,Muhammad Ilyas Azeem,Sallam Abualhaija,Lionel C Briand

DOI: https://doi.org/10.1109/tse.2023.3288901

IF: 7.4

2023-01-01

IEEE Transactions on Software Engineering

Abstract:When the entity processing personal data (the processor) differs from the one collecting personal data (the controller), processing personal data is regulated in Europe by the General Data Protection Regulation (GDPR) through data processing agreements (DPAs). Checking the compliance of DPAs contributes to the compliance verification of software systems as DPAs are an important source of requirements for software development involving the processing of personal data. However, manually checking whether a given DPA complies with GDPR is challenging as it requires significant time and effort for understanding and identifying DPA-relevant compliance requirements in GDPR and then verifying these requirements in the DPA. Legal texts introduce additional complexity due to convoluted language and inherent ambiguity leading to potential misunderstandings. In this paper, we propose an automated solution to check the compliance of a given DPA against GDPR. In close interaction with legal experts, we first built two artifacts: (i) the “shall” requirements extracted from the GDPR provisions relevant to DPA compliance and (ii) a glossary table defining the legal concepts in the requirements. Then, we developed an automated solution that leverages natural language processing (NLP) technologies to check the compliance of a given DPA against these “shall” requirements. Specifically, our approach automatically generates phrasal-level representations for the textual content of the DPA and compares them against predefined representations of the “shall” requirements. By comparing these two representations, the approach not only assesses whether the DPA is GDPR compliant but it further provides recommendations about missing information in the DPA. Over a dataset of 30 actual DPAs, the approach correctly finds 618 out of 750 genuine violations while raising 76 false violations, and further correctly identifies 524 satisfied requirements. The approach has thus an average precision of 89.1%, a recall of 82.4%, and an accuracy of 84.6%. Compared to a baseline that relies on off-the-shelf NLP tools, our approach provides an average accuracy gain of $\approx$20 percentage points. The accuracy of our approach can be improved to $\approx$94% with limited manual verification effort.

engineering, electrical & electronic,computer science, software engineering

Piero A. Bonatti,Sabrina Kirrane,Iliana M. Petrova,Luigi Sauro

DOI: https://doi.org/10.1007/s13218-020-00677-4

2020-07-08

Abstract:The European General Data Protection Regulation (GDPR) calls for technical and organizational measures to support its implementation. Towards this end, the SPECIAL H2020 project aims to provide a set of tools that can be used by data controllers and processors to automatically check if personal data processing and sharing complies with the obligations set forth in the GDPR. The primary contributions of the project include: (i) a policy language that can be used to express consent, business policies, and regulatory obligations; and (ii) two different approaches to automated compliance checking that can be used to demonstrate that data processing performed by data controllers/processors complies with consent provided by data subjects, and business processes comply with regulatory obligations set forth in the GDPR.

Haocheng Lin

2024-09-25

Abstract:The popularisation of applying AI in businesses poses significant challenges relating to ethical principles, governance, and legal compliance. Although businesses have embedded AI into their day-to-day processes, they lack a unified approach for mitigating its potential risks. This paper introduces a framework ensuring that AI must be ethical, controllable, viable, and desirable. Balancing these factors ensures the design of a framework that addresses its trade-offs, such as balancing performance against explainability. A successful framework provides practical advice for businesses to meet regulatory requirements in sectors such as finance and healthcare, where it is critical to comply with standards like GPDR and the EU AI Act. Different case studies validate this framework by integrating AI in both academic and practical environments. For instance, large language models are cost-effective alternatives for generating synthetic opinions that emulate attitudes to environmental issues. These case studies demonstrate how having a structured framework could enhance transparency and maintain performance levels as shown from the alignment between synthetic and expected distributions. This alignment is quantified using metrics like Chi-test scores, normalized mutual information, and Jaccard indexes. Future research should explore the framework's empirical validation in diverse industrial settings further, ensuring the model's scalability and adaptability.

Artificial Intelligence,Machine Learning

Philipp Hacker,Johann Cordes,Janina Rochon

DOI: https://doi.org/10.1017/err.2023.81

2023-12-13

European Journal of Risk Regulation

Abstract:Artificial intelligence (AI) is not only increasingly being used in business and administration contexts, but a race for its regulation is also underway, with the European Union (EU) spearheading the efforts. Contrary to existing literature, this article suggests that the most far-reaching and effective EU rules for AI applications in the digital economy will not be contained in the proposed AI Act, but in the Digital Markets Act (DMA). We analyse the impact of the DMA and related EU acts on AI models and underlying data across four key areas: disclosure requirements; the regulation of AI training data; access rules; and the regime for fair rankings. We demonstrate that fairness, under the DMA, goes beyond traditionally protected categories of non-discrimination law on which scholarship at the intersection of AI and law has focused on. Rather, we draw on competition law and the FRAND criteria known from intellectual property law to interpret and refine the DMA provisions on fair rankings. Moreover, we show how, based on Court of Justice of the European Union jurisprudence, a coherent interpretation of the concept of non-discrimination in both traditional non-discrimination and competition law may be found. The final section sketches out proposals for a comprehensive framework of transparency, access and fairness under the DMA and beyond.

Phoebe Li,Robin Williams,Stephen Gilbert,Stuart Anderson

DOI: https://doi.org/10.5204/lthj.3073

2023-11-21

Abstract:Recent achievements in respect of Artificial Intelligence (AI) open up opportunities for new tools to assist medical diagnosis and care delivery. However, the typical process for the development of AI is through repeated cycles of learning and implementation, something that poses challenges to our existing system of regulating medical devices. Product developers face tensions between the benefits of continuous improvement/deployment of algorithms and keeping products unchanged. The latter more easily facilitates collecting evidence for safety assurance processes but sacrifices optimisation of performance and adaptation to user needs gained through learning-implementation cycles. The challenge is how to balance potential benefits with the need to assure their safety. Governance and assurance processes are needed that can accommodate real-time or near-real-time machine learning. Such an approach is of great importance in healthcare and other fields of application. AI has stimulated an intense process of learning as this new technology embeds in application contexts. The process is not only about the application of AI in the real world but also about the institutional arrangements for its safe and dependable deployment, including regulatory experimentation involving new market pathways, monitoring and surveillance, and sandbox schemes. We review the key themes, challenges and potential solutions raised at two stakeholder workshops and highlight recent attempts to adapt the laws for AI-enabled medical devices (AIeMD) with a special focus on the regulatory proposals in the UK and internationally. The UK regulatory trajectory shows signs of alignment with the US thinking, and yet the European Union model is still the most closely aligned framework.

Thomas Şerban von Davier,Konrad Kollnig,Reuben Binns,Max Van Kleek,Nigel Shadbolt

DOI: https://doi.org/10.48550/arXiv.2305.04061

2023-05-06

Abstract:Since GDPR went into effect in 2018, many other data protection and privacy regulations have been released. With the new regulation, there has been an associated increase in industry professionals focused on data protection and privacy. Building on related work showing the potential benefits of knowledge management in organisational compliance and privacy engineering, this paper presents the findings of an exploratory qualitative study with data protection officers and other privacy professionals. We found issues with knowledge management to be the underlying challenge of our participants' feedback. Our participants noted four categories of feedback: (1) a perceived disconnect between regulation and practice, (2) a general lack of clear job description, (3) the need for data protection and privacy to be involved at every level of an organisation, (4) knowledge management tools exist but are not used effectively. This paper questions what knowledge management or automation solutions may prove to be effective in establishing better computer-supported work environments.

Computers and Society,Human-Computer Interaction

Jacintha Walters,Diptish Dey,Debarati Bhaumik,Sophie Horsman

2023-07-20

Abstract:The EU AI Act is the proposed EU legislation concerning AI systems. This paper identifies several categories of the AI Act. Based on this categorization, a questionnaire is developed that serves as a tool to offer insights by creating quantitative data. Analysis of the data shows various challenges for organizations in different compliance categories. The influence of organization characteristics, such as size and sector, is examined to determine the impact on compliance. The paper will also share qualitative data on which questions were prevalent among respondents, both on the content of the AI Act as the application. The paper concludes by stating that there is still room for improvement in terms of compliance with the AIA and refers to a related project that examines a solution to help these organizations.

Artificial Intelligence

Bryce Goodman,Seth Flaxman

DOI: https://doi.org/10.1609/aimag.v38i3.2741

2016-08-31

Abstract:We summarize the potential impact that the European Union's new General Data Protection Regulation will have on the routine use of machine learning algorithms. Slated to take effect as law across the EU in 2018, it will restrict automated individual decision-making (that is, algorithms that make decisions based on user-level predictors) which "significantly affect" users. The law will also effectively create a "right to explanation," whereby a user can ask for an explanation of an algorithmic decision that was made about them. We argue that while this law will pose large challenges for industry, it highlights opportunities for computer scientists to take the lead in designing algorithms and evaluation frameworks which avoid discrimination and enable explanation.

Machine Learning,Computers and Society

J. Noar,N. Hemmings

DOI: https://doi.org/10.12968/ORTU.2018.11.3.110

2018-07-02

Orthodontic Update

Abstract:Abstract: The General Data Protection Regulations (GDPR) govern the use of personal data within the European Union as from 25th May 2018. This supersedes the legislation of the Data Protection Act (DPA). Whilst it has many similarities to the DPA, it has significant enhancements that require active engagement to ensure compliance. It is a requirement for practices to appoint a Data Protection Officer, pay the Information Commissioners Office (ICO) fee, update their privacy notices, create written contracts between controllers and processors, identify and document the lawful basis for processing data, and comply with the rights of individuals. CPD/Clinical Relevance: Data protection regulations have changed as part of EU legislation. These changes applied from 25th May 2018 and are applicable to all.

Business,Law

Damiano Torre,Mauricio Alferez,Ghanem Soltana,Mehrdad Sabetzadeh,Lionel Briand

DOI: https://doi.org/10.48550/arXiv.2007.12046

2020-07-23

Abstract:In Europe and indeed worldwide, the General Data Protection Regulation (GDPR) provides protection to individuals regarding their personal data in the face of new technological developments. GDPR is widely viewed as the benchmark for data protection and privacy regulations that harmonizes data privacy laws across Europe. Although the GDPR is highly beneficial to individuals, it presents significant challenges for organizations monitoring or storing personal information. Since there is currently no automated solution with broad industrial applicability, organizations have no choice but to carry out expensive manual audits to ensure GDPR compliance. In this paper, we present a complete GDPR UML model as a first step towards designing automated methods for checking GDPR compliance. Given that the practical application of the GDPR is influenced by national laws of the EU Member States, we suggest a two-tiered description of the GDPR, generic and specialized. In this paper, we provide (1) the GDPR conceptual model we developed with complete traceability from its classes to the GDPR, (2) a glossary to help understand the model, (3) the plain-English description of 35 compliance rules derived from GDPR along with their encoding in OCL, and (4) the set of 20 variations points derived from GDPR to specialize the generic model. We further present the challenges we faced in our modeling endeavor, the lessons we learned from it, and future directions for research.

Software Engineering