GDPR VS AI

The Law on Personal Data Protection in our country was adopted on February 16, 2020. Through this law, harmonization was achieved with the EU’s GDPR (General Data Protection Regulation). In the EU, on August 1, 2024, a Law on Artificial Intelligence was also adopted, aiming to regulate and promote innovations in this field within the EU. However, these two areas have conflicts with each other, which we have attempted to address in the text below.

How AI uses personal data

Artificial intelligence often uses large amounts of data to learn and improve. This data includes personal information collected from various sources, such as social media, internet searches, shopping habits, health and fitness tracking apps, and many others. AI systems analyze this data to make predictions and make automated decisions that can be faster and more accurate than those made by humans.

For example, AI can use personal data to recommend products based on our previous purchases or searches, provide various suggestions based on our data, or even predict the best job candidates for a company. However, with these advantages come serious challenges.

Some decisions made by AI systems can be incorrect or discriminatory because they use data in a way that may replicate existing biases or create new ones. For instance, if AI systems are trained with biased or discriminatory data, they will reproduce those same biases in their predictions and decisions.

Challenges in the context of GDPR and personal data protection

GDPR sets serious requirements regarding how personal data can be used and processed, aiming to protect personal data and individuals’ rights while preventing the misuse of their data. One of the most important principles established by GDPR is the principle of “purpose limitation.” This principle means that data should only be used for the specific purposes for which it was originally collected and should not be processed for other purposes without explicit consent from the individual.

However, artificial intelligence and big data are often used for new and unexpected purposes, leading to conflicts with the principles of GDPR. For example, data collected for one purpose (such as analyzing consumer habits) may be used for another purpose (such as targeted advertising), which is not in line with the original intent. This presents a challenge for AI, as it relies on large amounts of data to make accurate predictions and decisions.

заштита на личните податоци

7 Points of Conflict between GDPR and AI

1. Purpose Limitation

GDPR: Data should only be used for the specific purpose for which it was collected and cannot be used for other purposes without explicit consent from the user.
AI: AI systems often use data for new and unexpected purposes, such as discovering new trends or making predictions that were not initially planned, which can conflict with this principle.

2. Data Minimization

GDPR: Requires that only the data necessary for achieving a specific purpose be collected and processed.
AI: AI requires vast amounts of data to learn and develop. Therefore, more data is often collected than is necessary for a specific purpose, to improve the accuracy of predictions.

3. Automated Decision-Making and Profiling

GDPR: Automated decision-making that has legal consequences for an individual or significantly affects them is prohibited unless consent has been given or it is necessary for the execution of a contract.
AI: AI systems can make automated decisions based on the analysis of large amounts of data. These decisions can sometimes be biased or inaccurate, potentially affecting individuals in unpredictable ways.

4. Transparency and Explanation of Decisions

GDPR: Users have the right to receive a clear explanation of how and why automated decisions that affect them were made.
AI: Many AI models, especially those based on deep learning, are “black boxes,” making it difficult to explain their decision-making processes.

5. Data Subject Rights

GDPR: Individuals have the right to access, rectify, delete (the right to be forgotten), and restrict the processing of their personal data.
AI: AI systems may store and process data in a way that complicates or hinders the complete removal of information, especially when the data is part of larger machine learning models.

6. Consent for Data Processing

GDPR: Explicit consent from the individual is required for the processing of personal data, and that consent must be informed and voluntary.
AI: AI systems often process data collected indirectly, through third parties or automated processes, making it impossible to adhere to this principle of explicit and informed consent from users.

7. Repurposing Data for New Uses

GDPR: Data may only be used for new purposes if they are compatible with the original purposes for which they were collected.
AI: AI often uses data for new applications and analyses, which may not be compatible with the original intent behind data collection.

Conclusion

AI and GDPR are closely interconnected. As AI continues to evolve, the importance of personal data protection will remain critical. GDPR establishes strict rules and principles that must be followed. However, for AI technology to continue developing in an ethical and responsible manner, clear guidelines and support from regulatory bodies and companies are needed.

 

SCHEDULE A CALL WITH SOMEONE FROM OUR TEAM

schedule a meeting with law office aleksov and memishi

Informative blog

To top