The individual, the datapoint, and the AI

We have been witnessing a conflict of data and the interest of processing the data. Not because the processing itself is necessarily the issue but rather careful handling of data and the believed purpose of the data processing. I assume due to the level of abstraction there is a propensity to feel less responsible and attentive towards carefully handling data of others. I assume further, that due to the level of abstraction there is a propensity to be not aware of the potential consequences. But essentially. History made privacy, that includes private data, a fundamental human right.

(Data) privacy rights for the individual

“Let Europe arise!” is what Winston Churchill said in his speech he delivered on 19th of September 1946 in Zurich. The occasion for his speech was the end of World War II and consequently the quest of Europe’s re-creation and the introduction of preventive measurements to keep this tragedy from happening again. As underlying parameters for Europe to rise he proposed to form a Council of Europe and having France to partner with Germany as a matter of inclusion. In 1949 the Council of Europe[1] was founded with the goal “to promote democracy, human rights and the rule of law.”. Following this, the initial member states formalized the Council of Europe with effect of the “Convention for the Protection of Human Rights and Fundamental Freedoms” in 1951 (ECHR). The ECHR is based on the United Nations’ Universal Declaration of Human Rights (UDHR).

?

In the ECHR it states in Article 8 (see also UDHR Article 12) (1) “Everyone has the right to respect for his private and family life, his home and his correspondence.”. Further, “There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interest of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.” (ECHR Article 8 (2)). With the aim to deepen the age of post-war cooperation in Europe, an economic union was formed through signing the treaty of establishing the European Coal and Steel Community (ECSC) in 1952. Ever since then, including other cooperative unions, the concept of a European internal market extended to what we know now as the European Union (EU) with 27 EU member states[2], while committing to the ECHR[3].

So, the right to privacy in Europe is at least as old as the ECHR (see Article 8). In the wake of technological progress (e.g. through the Internet), the EU recognized that it needed to accustom regulation on privacy rights for the 21st century. This was also due to violations that started to emerge to individuals through abusing their private data and through that depriving them of fundamental human rights such as the right for privacy. Consequently, the General Data Protection Regulation (GDPR) came into effect on May 25, 2018. Within the scope of the GDPR are all personal data of EU citizens or residents subject to data processing within the EU and outside the EU (see GDPR Article 3 (1)). Violations of the GDPR can pile up to 20EUR million or 4% of a violator’s global revenue. Further, data subjects have the right for compensation for damages that have occurred to wrongdoing with their personal data. Now defining the scope of data privacy as required by the GDPR by identifying what exactly is “personal data” in the wake of digitization is rather difficult. The EU gives some guideline as “Personal data is any information that relates to an identified or identifiable living individual.” (What is personal data? (europa.eu)) and gives some examples: “name and surname, email address, location data, Internet Protocol (IP) address […]”. Individuals which are subject to personal data processing such that a business relationship can be established through consuming a certain service or product have rights to seize control over their data. To name three of the eight: the right to be informed, the right to access, and the right to erasure (see others in Rights of the Individual | European Data Protection Supervisor (europa.eu)).

Conflict of data privacy rights when utilizing U.S. Cloud services

The Patriot Act is a federal law originating from the USA and came into effect in 2001 because of September 11. According to the Patriot Act, which serves to better prevent terrorist attacks particularly at home, the US is legally allowed to request for data that is processed through American companies, also when they operate outside of the US. The Cloud Act (Clarifying Lawful Overseas Use of Data Act), which came into effect in 2018, underpins these thoughts and explicitly states that the access of personal data being stored or processed by companies such as AWS, Google Cloud, and Microsoft Azure must be granted upon request to the US government. In a nutshell the U.S. Cloud Act and EU GDPR have a serious conflict; mainly due the fact that personal data processing of European individuals must be based on a particular legal basis. Well, we could be fairly sure that the U.S. law enforcement authorities are everything but particularly interested in neither your (I assume) or my personal data. However, to be blunt on the facts, European businesses are put into the conflict of possibly violating the GDPR when they use U.S. Cloud services, or the U.S. Cloud service provider oppose its respective legal regulation. In both ways a hopeless situation. With the aim to bridge this conflict the EU-US Privacy Shield was introduced in 2018 such that personal data could be transferred for commercial reasons between the EU and US. However, it was declared invalid in 2020 (see Schrems II) because it did not live up to be conformant with the GDPR. Another attempt to draft such an agreement between the EU and US has been kicked-off in the course of the Ukraine War in early 2022. To date, there is still no agreement between the EU and the US that bridges the conflict between the GDPR and Cloud act (Microsoft EU Data Boundary does not solve this issue).

There is a conflict between AI adoption (at least for a couple of interesting use cases) and data privacy. Most of AI services are provided by US companies. However, the Cloud Act and GDPR are conflicting each other. Given the historical background its a fundamental conflict. The question is, is the fundamental right outdated? Is data privacy not to be set on a level with privacy? Or do we have to try harder to make AI adoption work but with data privacy in mind?

[1] to date 47 members, https://www.coe.int/en/web/about-us/our-member-states, retrieved April 2023

[2] https://european-union.europa.eu/principles-countries-history/country-profiles_en, retrieved April 2023

[3] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:12012P/TXT