Could the UK’s data protection reforms create an unintended loophole for commercial AI research?
One of the more notable aspects of the UK’s DP&DI (No. 2) Bill (the “Bill”) is its explicit recognition that the concept of “scientific research” includes “any research that can reasonably be described as scientific”, even when carried out for a “commercial activity” (see clause 2 of the Bill, amending Article 4 of the UK GDPR).?It adds that this research can include “technological development
This matters because personal data processing
Is this really a change or just a clarification?
Some will argue the UK proposal is simply a clarification of the GDPR’s existing intent.?For example, GDPR Recital 159 already acknowledges that the concept of scientific research “should be interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research” (emphasis added) - giving a clear nod towards, without unambiguously endorsing (since this language exists in recitals, not within operative statutory provisions), commercially-funded research.?
Whether or not the concept of “scientific research” under the GDPR actually extends to commercial research has, however, long been a topic for debate.?The EDPS, for example, has previously weighed in to express the view that the GDPR’s “scientific research” regime applies only where “the research is carried out with the aim of growing society’s collective knowledge and wellbeing, as opposed to serving primarily one or several private interests”.?
If the UK Bill is adopted as proposed, it seems this point will now be settled favourably for the private sector – under UK law, at least.
The potential impact to private sector AI development
It’s worth considering, though, what this could mean in the context of future AI development
领英推荐
But should research into commercially-funded AI tools like these fall within the scope of the (UK) GDPR’s “scientific research” regime??
You might argue that, yes, it should.?After all, Art 89 of the (UK + EU) GDPR requires that data processed for “scientific research” must be subject to “appropriate safeguards
Conversely, opponents might argue these are measures that controllers should be taking anyway to comply with data protection principles
Is this intended or not?
It’s unclear to what degree the explicit extension of the UK GDPR’s “scientific research” regime to “commercial activity” and its application to AI has already been considered by the UK government as part of its National AI Strategy – but, given the AI gold rush currently underway, this is a clearly point that merits closer examination and careful policy consideration moving forward.
Special thanks go to my friend Eleonor Duhs for her informed peer review (aka marking of my homework) prior to publication
Of Counsel, Dentons; Member, DIFC Regulation 10 Advisory Committee; Editor, Encyclopedia of Data Protection & Privacy. All views personal only.
2 年Meant to add, the ref to “technological development”, like the refs to legitimate interests for direct marketing etc that people have been making much of, is really just to reflect GDPR recitals in the operative text, in the case of tech dev Rec.159 https://www.gdprinfo.info/#r159
Data protection, privacy, and some AI-related stuff. Advising on it. Training people in it. Writing about it. Creating useful resources for it. Recording little videos about it.
2 年Good to see you raising this Phil, I also wondered about this and have been discussing on Twitter this week. https://twitter.com/RobertJBateman/status/1634467493958807555 I was sort of hoping someone would tell me I'd got the wrong idea—it would appear not... I've not decided if I think this was intentional or not...
Of Counsel, Dentons; Member, DIFC Regulation 10 Advisory Committee; Editor, Encyclopedia of Data Protection & Privacy. All views personal only.
2 年Not necessarily for special category/criminal data. Para.4 Sch.1 DPA2018 still requires 3 conditions: (a) is necessary for archiving purposes, scientific or historical research purposes or statistical purposes, (b) is carried out in accordance with Article 89(1) of the UK GDPR (as supplemented by section 19) [which the Bill will update], and (c) is in the public interest. Controllers must be able to record/show that processing of such data, even for scientific research in AI, must be "in the public interest". So. the clarification on commercial activity won't help for such data. Puzzlingly, this is one area where the UK actually goldplated the GDPR - the "public interest" condition isn't required under Art.9, see my blog https://blog.kuan0.com/2023/03/data-protection-digital-information-no2.html after the table. And I couldn't find anything in the Bill to amend para.14. Also puzzlingly, the original intention to amend Sch.1 to allow processing of sensitive data to eliminate bias, wasn't taken forward. BTW glad you're feeling well enough to write your blog Phil Lee!
Product Manager, Inventor, PrivacyTech, SaaS, CIPP/E, CIPM.
2 年Great post. I too wondered a lot about the definition of scientific research when I read this bit. Consider this: I have a hypothesis that one combination of words and pictures is more appealing to people than a slightly different combination of words and pictures. I will test this with an experiment where I present these options to different audiences of pseudonymised individuals on a web page, and I measure the results by counting both the number of impresssions and the clicks on these alternatives - the differing results either refuting or supporting my hypothesis. This sounds like scientific research right? Its just incidental that I am advertising a product and looking for the best CTR to maximise my ROI.
Anyone who has ever worked in real AI and real R&D knows 99% of all commercial AI projects dont enter such a description; mainly because the real process of tax credits for R&D purposes demand somewhat stringent records (tedious process that almost no AI project does) and nevertheless...R&D always respects the principles of many laws, like you've said. Above all, ethics. No pure science research is done without evaluation by an ethics committee and stringent law verifications. Because that, wouldn't be "science". Plus, being honest, and knowing how most of these commercial projects get developed, calling them "scientific" just by using some bare knuckles maths.... sorry, NOP. Again, this shows utter and complete inept and uninformed "someone" making changes that mostly throw more chaos into the mix. The difference btw generic R&D and commercial driven, is stage. More generic is usually earlier stages, supported by the state with investment and tax credits. Has % of ownership connected to universities etc; entering a full ecosystem and being made available later to commercial R&D firms that then can use it, after paying upwards for IP. Calling a data vulture an eagle, doesnt make a vulture... an eagle.