No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
    • Upcoming
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

How Corporations Can Harness the Power of AI in the Context of GDPR

Reaping the Benefits of Cognitive Technologies While Ensuring Compliance and Managing Unintended Consequences

by Eric Winston
August 8, 2019
in Data Privacy, Featured
profile of robot looking contemplative, concept of artificial intelligence

Article 22 of GDPR states that AI cannot be used as the sole decision-maker in choices that have legal or similarly significant effects on users; human intervention is a must. Mphasis’ Eric Winston explores how companies can accelerate overall GDPR compliance while doing right by their customers.

As the European Union completes one year of the General Data Protection Regulation (GDPR), U.S. lawmakers are following suit. Nationwide, there is a growing momentum to enforce strict privacy laws to protect consumers from rampant data breaches that violate their privacy.

Contrary to what may have been expected, big tech has generally come out in support of the Congressional national privacy law proposal, underscoring the widely held belief that something must be done to protect consumers’ personal data rights. However, while tech companies are pushing for a single national federal legislation, several U.S. states, including California, are rushing to reform the lax regulatory landscape by enacting their own, more stringent, data privacy laws.

Meanwhile, as American companies await the implementation of a nationwide legislation, such organizations still have the challenge of complying with GDPR. According to recent research, only 27 percent of EU-based companies, excluding the U.K., are compliant with the GDPR. Further, just 12 percent of companies in the U.S. have achieved GDPR compliance.

GDPR and the AI Conundrum

Even as companies rush to ensure GDPR compliance, the vast scope of the law has raised another concern: the complex interaction between artificial intelligence (AI) and GDPR. In particular, Article 22 of the GDPR has been in the fore, as it contains provisions related to automated profiling and decision-making that deals with how personal data is used in its limited applicability. It impacts any industry where AI is used to derive a user’s automated profile and where decisions are taken through automated means that could have a legal or significant effect on users.

The concern with such decision-making is that the existing AI system logic makes automated decisions without human intervention. Such an approach could potentially victimize individuals. Recognizing this, the GDPR mandates that every decision by AI must have human intervention before any decision that could impact individuals. However, with the drafting of the GDPR around this provision being perceived as ambiguous, organizations must choose wisely how to use AI in automated decision-making.

Since data is the key ingredient for AI, it is imperative to understand Article 22 in the context of restrictions on automated decision-making and profiling. Article 22 is a conditional right based on certain exceptions. It prescribes that AI — including profiling — cannot be used as the sole decision-maker in choices that have legal or similarly significant effects on users as this is necessary to “safeguard” the data subject’s rights and freedoms and legitimate interests. For instance, an AI model cannot be the only step for deciding whether a borrower is eligible to qualify for a loan. The user can also raise an objection to contest the automated decision and obtain human intervention based on exceptions.

Yet if one were to play devil’s advocate, automated decision-making can sometimes be justified – for instance, when an AI tool rejects a job application if the applicant has not furnished sufficient information. The crucial determiner here: At what stage of the automated decision-making process was the application rejected, and why?

But since Article 22 does not require an explanation about the rationale behind any AI-led decision, this highlights a confounding aspect of the interplay between AI and GDPR.

If organizations correctly interpret Article 22, they will do right by the customer and accelerate overall GDPR compliance — while upholding the firm’s reputation.

GDPR: The U.S. Perspective

It has long been established that GDPR applies to all companies that collect EU consumers’ personal data or behavioral information — regardless of the geographical location of the business. Therefore, even U.S. firms that only have a web presence, but not a brick-and-mortar operation, in the EU will need to comply with the GDPR. This is because such businesses market products to the EU and collect EU citizens’ personal data.

The provision that gives consumers ownership of their data poses a roadblock for U.S. companies that use and sell data. Since organizations may be compelled to destroy data under “the right to be forgotten,” businesses have struggled with restrictions imposed by the GDPR in the year since it became effective.

Further, GDPR has flexed its significant enforcement powers toward U.S. firms as demonstrated when Google was recently fined €50 million for a “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.”

Going forward, given the backlog of GDPR data breach notifications and the number of companies that are not yet compliant with the tenets of the law, the fines are expected to touch hundreds of millions of euros in 2019.

In terms of how the GDPR would impact the development of AI applications in the U.S., experts believe it could increase labor costs, as human intervention is a necessary component of automated decision-making. Its stringent provisions could also limit the scope of AI’s long-term applications.

The Journey Forward

Even so, in the years to come, GDPR’s impact is expected to resonate across the world in many ways. For starters, it has inspired the U.S. to come up with its own cohesive national data privacy law that will make it easier for consumers to protect their private information.

If the U.S. is going to introduce a GDPR-like law, it remains to be seen which of the provisions it will borrow from the EU regulator. A further challenge is how the U.S. would approach AI processes that require transparency to remove bias.

The larger question organizations and policymakers should be asking is: What does it mean for the consumer to be “king?” This alone will determine the trajectory of the country’s ambitious national data privacy law.


Tags: Artificial Intelligence (AI)AutomationGDPR
Previous Post

Remedies and Compliance in Suspension and Debarment

Next Post

What the Shootings Mean for Ethics & Compliance

Eric Winston

Eric Winston

Eric Winston is Executive Vice President, General Counsel and Chief Ethics & Compliance Officer at Mphasis. Eric is responsible for Mphasis’ global legal and compliance function and policies. He has spent nearly 20 years guiding international, market-leading public- and private-equity- owned IT companies. Prior to Mphasis, Eric served for two years as Vice President - Legal, at Syntel, Inc., an IT services company, where he was responsible for advising executive management on a wide range of matters including domestic and international, strategic and commercial transactions, litigation, mergers and acquisitions, employment, business development, corporate governance and compliance. From 2002 through 2015, Eric served as Senior Vice President, General Counsel and Corporate Secretary of INTTRA, Inc., the world’s largest electronic transactional platform for the ocean shipping industry. His responsibilities included functions such as worldwide legal, privacy, mergers and acquisitions, litigation, intellectual property, patent strategy, and compliance activities, as well as government and regulatory affairs. He also managed INTTRA's human resources department. Eric received his J.D. at the Emory University School of Law and a bachelor’s in Economics from Vassar College.

Related Posts

robot waiting for job interview

If AI Can Easily Game Hiring Processes, Maybe It’s Time to Rethink What You’re Looking For

by Vera Cherepanova
July 15, 2025

Using AI to prepare for an interview is OK, but what about using it to perform?

nurse holding chart

Data Privacy at the Crossroads of AI & Life Sciences: US & EU Perspectives

by Marijn Storm, Katherine Wang and Joshua Fattal
July 15, 2025

Regulators and enforcers are watching how healthcare companies use advanced tools

photo collage text messages

Can AI Streamline E-Communications Compliance Program Reviews?

by Jonny Frank, Nathan Gibson, Michael Costa and Kashif Sheikh
July 14, 2025

Where manual reviews take weeks, AI can rapidly compare policy documentation to assessment criteria and flag control gaps

news roundup data grungy

Most Organizations Adopting AI Without Strategy as Risks Mount

by Staff and Wire Reports
July 11, 2025

Leading firms leverage AI across governance functions; privacy deletion requests surge 82%; employees struggle with AI-powered threats; payment system attacks...

Next Post
american flag made out of bullets

What the Shootings Mean for Ethics & Compliance

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
    • Upcoming
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights