No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

How Corporations Can Harness the Power of AI in the Context of GDPR

Reaping the Benefits of Cognitive Technologies While Ensuring Compliance and Managing Unintended Consequences

by Eric Winston
August 8, 2019
in Data Privacy, Featured
profile of robot looking contemplative, concept of artificial intelligence

Article 22 of GDPR states that AI cannot be used as the sole decision-maker in choices that have legal or similarly significant effects on users; human intervention is a must. Mphasis’ Eric Winston explores how companies can accelerate overall GDPR compliance while doing right by their customers.

As the European Union completes one year of the General Data Protection Regulation (GDPR), U.S. lawmakers are following suit. Nationwide, there is a growing momentum to enforce strict privacy laws to protect consumers from rampant data breaches that violate their privacy.

Contrary to what may have been expected, big tech has generally come out in support of the Congressional national privacy law proposal, underscoring the widely held belief that something must be done to protect consumers’ personal data rights. However, while tech companies are pushing for a single national federal legislation, several U.S. states, including California, are rushing to reform the lax regulatory landscape by enacting their own, more stringent, data privacy laws.

Meanwhile, as American companies await the implementation of a nationwide legislation, such organizations still have the challenge of complying with GDPR. According to recent research, only 27 percent of EU-based companies, excluding the U.K., are compliant with the GDPR. Further, just 12 percent of companies in the U.S. have achieved GDPR compliance.

GDPR and the AI Conundrum

Even as companies rush to ensure GDPR compliance, the vast scope of the law has raised another concern: the complex interaction between artificial intelligence (AI) and GDPR. In particular, Article 22 of the GDPR has been in the fore, as it contains provisions related to automated profiling and decision-making that deals with how personal data is used in its limited applicability. It impacts any industry where AI is used to derive a user’s automated profile and where decisions are taken through automated means that could have a legal or significant effect on users.

The concern with such decision-making is that the existing AI system logic makes automated decisions without human intervention. Such an approach could potentially victimize individuals. Recognizing this, the GDPR mandates that every decision by AI must have human intervention before any decision that could impact individuals. However, with the drafting of the GDPR around this provision being perceived as ambiguous, organizations must choose wisely how to use AI in automated decision-making.

Since data is the key ingredient for AI, it is imperative to understand Article 22 in the context of restrictions on automated decision-making and profiling. Article 22 is a conditional right based on certain exceptions. It prescribes that AI — including profiling — cannot be used as the sole decision-maker in choices that have legal or similarly significant effects on users as this is necessary to “safeguard” the data subject’s rights and freedoms and legitimate interests. For instance, an AI model cannot be the only step for deciding whether a borrower is eligible to qualify for a loan. The user can also raise an objection to contest the automated decision and obtain human intervention based on exceptions.

Yet if one were to play devil’s advocate, automated decision-making can sometimes be justified – for instance, when an AI tool rejects a job application if the applicant has not furnished sufficient information. The crucial determiner here: At what stage of the automated decision-making process was the application rejected, and why?

But since Article 22 does not require an explanation about the rationale behind any AI-led decision, this highlights a confounding aspect of the interplay between AI and GDPR.

If organizations correctly interpret Article 22, they will do right by the customer and accelerate overall GDPR compliance — while upholding the firm’s reputation.

GDPR: The U.S. Perspective

It has long been established that GDPR applies to all companies that collect EU consumers’ personal data or behavioral information — regardless of the geographical location of the business. Therefore, even U.S. firms that only have a web presence, but not a brick-and-mortar operation, in the EU will need to comply with the GDPR. This is because such businesses market products to the EU and collect EU citizens’ personal data.

The provision that gives consumers ownership of their data poses a roadblock for U.S. companies that use and sell data. Since organizations may be compelled to destroy data under “the right to be forgotten,” businesses have struggled with restrictions imposed by the GDPR in the year since it became effective.

Further, GDPR has flexed its significant enforcement powers toward U.S. firms as demonstrated when Google was recently fined €50 million for a “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.”

Going forward, given the backlog of GDPR data breach notifications and the number of companies that are not yet compliant with the tenets of the law, the fines are expected to touch hundreds of millions of euros in 2019.

In terms of how the GDPR would impact the development of AI applications in the U.S., experts believe it could increase labor costs, as human intervention is a necessary component of automated decision-making. Its stringent provisions could also limit the scope of AI’s long-term applications.

The Journey Forward

Even so, in the years to come, GDPR’s impact is expected to resonate across the world in many ways. For starters, it has inspired the U.S. to come up with its own cohesive national data privacy law that will make it easier for consumers to protect their private information.

If the U.S. is going to introduce a GDPR-like law, it remains to be seen which of the provisions it will borrow from the EU regulator. A further challenge is how the U.S. would approach AI processes that require transparency to remove bias.

The larger question organizations and policymakers should be asking is: What does it mean for the consumer to be “king?” This alone will determine the trajectory of the country’s ambitious national data privacy law.


Tags: Artificial Intelligence (AI)AutomationGDPR
Previous Post

Remedies and Compliance in Suspension and Debarment

Next Post

What the Shootings Mean for Ethics & Compliance

Eric Winston

Eric Winston

Eric Winston is Executive Vice President, General Counsel and Chief Ethics & Compliance Officer at Mphasis. Eric is responsible for Mphasis’ global legal and compliance function and policies. He has spent nearly 20 years guiding international, market-leading public- and private-equity- owned IT companies. Prior to Mphasis, Eric served for two years as Vice President – Legal, at Syntel, Inc., an IT services company, where he was responsible for advising executive management on a wide range of matters including domestic and international, strategic and commercial transactions, litigation, mergers and acquisitions, employment, business development, corporate governance and compliance. From 2002 through 2015, Eric served as Senior Vice President, General Counsel and Corporate Secretary of INTTRA, Inc., the world’s largest electronic transactional platform for the ocean shipping industry. His responsibilities included functions such as worldwide legal, privacy, mergers and acquisitions, litigation, intellectual property, patent strategy, and compliance activities, as well as government and regulatory affairs. He also managed INTTRA’s human resources department. Eric received his J.D. at the Emory University School of Law and a bachelor’s in Economics from Vassar College.

Related Posts

gdpr

UK Resurrects Data Protection Reforms, EU Court Rules on GDPR in Civil Cases

by Jonathan Armstrong and André Bywater
March 15, 2023

Recent courtroom and legislative action in Europe will likely have ripple effects around the world for companies subject to regulations...

DALL·E 2023-02-16 13.18.43 - magritte style painting of robot looking into mirror

A Bot Isn’t Going to Take Your Place, But AI Will Make Your Job Harder

by Jennifer L. Gaskin
March 8, 2023

OpenAI’s splashy ChatGPT rollout has generated untold amounts of text, both directly and indirectly. While much of what’s been written...

cci top 10 stories collage

Top 10 Compliance Stories of 2022

by Jennifer L. Gaskin
December 7, 2022

The more things change, the more they stay the same. This time last year, we summarized the top 10 ESG...

eu flag

Preparing Your Company for the Latest GDPR Data Transfer Developments & Upcoming Deadlines

by Kevin L. Coy
November 30, 2022

An EU court decision and legislative moves in the U.S. and UK make compliance with privacy regulations increasingly difficult. Arnall...

Next Post
american flag made out of bullets

What the Shootings Mean for Ethics & Compliance

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT