Privacy and AI weekly - Issue 5

This week in Privacy and AI Weekly

? Datatilsynet publishes guidelines on the use of CSP

? EDPB Guidelines on Codes of Conduct as Data Transfer Tools

? Facial recognition: Italian SA fines Clearview AI eur 20 million Bans use of biometric data and monitoring of Italian data subjects

? Improving transparency of AI systems: Meta’s System Card

? Can AI systems show discrimination and unfair outcomes against different species of animals?

DATA PROTECTION

Datatilsynet?publishes guidelines on the use of CSP

A must read document, in particular for the complexity of the transfer landscape

Apart from detailed explanations of the different kind of services?#CSP?may provide, it gives plenty of practical recommendations

Ex 2: It may be insufficient solely to examine the core service of a cloud service. Any ancillary services (e.g additional desk service) where personal data are processed must also be assessed.

Relevant questions for a data protection risk assessment

- Does the CSP process any additional personal data than the personal data entrusted to the CSP by you? E.g metadata or other service data.?

- Does the CSP process the personal data entrusted to the CSP for its own purposes? Evaluate the legal basis in this case

Relevant for a security risk assessment

- Identify which level of security of processing the CSP has established

- Review whether this level of security of processing corresponds to the level that you as the controller consider appropriate;

Know your supplier (KYS)?

- Questions for the screening (important pp12-13)

- Sign a DPA

CSP and sub-processors audits

- higher risks mean higher requirements for the audit

- more critical the processing, more frequent the audits should be

ON DATA TRANSFERS

In general

Controllers must to:

1) Identify your third country transfers (mapping)

2) Establish the relevant transfer tool (SCC)

3) Assess whether the Article 46 transfer tool you are relying on is effective in the light of all the circumstances of the transfer and, if not,

4) Adopt supplementary measures;

Given the complexities of global legislations, a best practice is to take a “worst case scenario” as the basis of your assessment (consider as problematic legislation) and, on this basis, assess in more detail which supplementary TM must be implemented to ensure an essentially equivalent level of protection

5) Observe any procedural requirements; and

6) Re-evaluate transfers at appropriate intervals;

Transfers to the USA

- it will be difficult to document that the specific types of personal data that you wish to transfer to CSPs in the US will not be subject to the surveillance programmes authorised under inter alia FISA 702.

- It is insufficient to refer as evidence to your own or the CSP’s subjective assessment that the transferred personal data cannot be targeted via “selectors” or is of no interest to US law enforcement authorities if that statement is not supported by objective, reliable, and accessible information, for instance from the authorities concerned

But, you may still – without taking any additional action – transfer personal data to your SU CSP if your supplier, in practise, has not received any requests from US law enforcement authorities in the past, or that the types of?#personaldata?that you intend to transfer have not in any case fallen within the scope of such requests.

EDPB Guidelines on Codes of Conduct as Data Transfer Tools

The?European Data Protection Board?published the adopted version of Guidelines on Codes of Conduct as tools for transfers

Where data transfers to third countries are not covered by an adequacy decision, controllers and processors must rely on adequate safeguards as set out in art. 46?#GDPR.?

Approved?#codesofconduct, together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights, constitute an appropriate tool to transfer personal data abroad (art 46(2) GDPR)

Codes of conduct are voluntary accountability mechanisms that establish the most adequate compliance and ethical rules for organisations operating in a certain domain or sector (see EDPB Guidelines 1/2019) (GDPR codes)

CoC for transfers are a special kind of CoC which are intended for international?#transfer?of personal data and for the purpose of providing appropriate safeguards in the meaning of Article 46

The data importer in the third country has to adhere to the code intended for transfers, but data exporters subject to the GDPR do not necessarily have to adhere to them (EDPB Guidelines 4/21, para 7)

Content

Broadly speaking, the CoC for transfers needs to address:

- Essential principles, rights and obligations arising under the GDPR for controllers/processors; and

- Guarantees that are specific to the context of transfers (such as with respect to the issue of onward transfers, conflict of laws in the third country).

A complete checklist of the elements can be seen in para 36 of the guidelines.

Facial recognition: Italian SA fines Clearview AI eur 20 million Bans use of biometric data and monitoring of Italian data subjects

The Italian Data Protection Authority?fined the US-based company Clearview AI EUR 20 million after finding it applied what amounted to biometric monitoring techniques also to individuals in the Italian territory.

The Italian SA’s inquiries were started also following complaints and alerts and found that Clearview AI allows tracking Italian nationals and persons located in Italy.

The findings showed that the personal data held by the company, including biometric and geolocation information, were processed unlawfully without an appropriate legal basis – since the legitimate interest of the US-based company does not qualify as such.

Several GDPR principles were violated including transparency – as it failed to adequately inform users -, purpose limitation – as it processed users’ data for purposes other than those for which they had been made available online -, and storage limitation – as it did not set out any data storage period.

GPDP fined Clearview AI EUR 20 million and ordered the company to erase the data relating to individuals in Italy; it banned any further collection and processing of the data through the company’s facial recognition system.

It′s worth remembing that the ICO, CNIL and OAIC (Australia) found that Cleaview AI breached data protection laws in their juridictions

ARTIFICIAL INTELLIGENCE

Improving transparency of AI systems: Meta’s System Card

Meta?(Facebook) has recently announced that they released System Cards.

System Cards is a tool designed to provide insight into an AI system’s underlying architecture and help better explain how the AI operates. It outlines the AI models that comprise an AI system and can help enable a better understanding of how these systems operate based on an individual’s history, preferences, settings, and more

? The good

It is an excellent initiative to increase the transparency of the algorithmic predictions and decisions of the largest social media in the globe.

?? The bad

Communication of the feature. It would have been better if they had informed users about this new feature in the platform. I am a user of?FB and IG and I wasn’t informed about it. I came across this feature because?Norberto de Andrade, PhD?published it on Linkedin.?

? The ugly

Despite the positive aspects, there are still many areas that we can criticise.

- Timing: it's 2022 and Meta is just releasing a 'pilot' or 'prototype' model. There are similar initiatives from other companies from 2018

- Limited scope: again, it's 2022 and the system card is only available for one AI system (Instagram feed ranking)

- Limited information: I concede it's challenging to balance conciseness with completeness of the explanation. However, more information should be provided about:

--- how user's profiles are created

--- which the sources of information are

For example: It mentions that it collects attributes from the post (but, which attributes?) (see step 2), along with additional information like how often the user interacts with the author of a post (can you provide any other example?) (step 2) Which are the relative weights that you assign to each of these factors? Can you name the 3 most important factors?

Another example: to ensure diversity of information (step 6) they "created a rule to show no more than three posts in a row from the same account" can you provide another example?

- To increase the clarity of information

--- Use counterfactual explanations

--- Use videos: short videos are (IMO) the easiest way to engage people with these matters, instead of long texts only accessible to professionals working in the area

--- Use all your experience and means available to inform people. E.g. When WhatsApp changed its privacy policy, I received dozens of times the indication to accept the new changes. Why don't you take a similar approach on this matter?

- Prove that you really care about what you say when providing information to the technical audience. Meta's initiative follows previous frameworks: Datasheets (Microsoft+Gebru, 2018, 18pages), Model cards (Google, 2018, 10pages), and fact sheets (IBM, 2019, 31pages). But these papers were released long ago and they are 2x to 4x longer than FB’s white paper. Crucially, the explanation about the methodology of FB's System Cards is only 2pages long.

Can AI systems show discrimination and unfair outcomes against different species of animals?

A research team evaluated how 'farm animals' and 'pets' were treated differently in three areas:

- image recognition

- natural language models (GPT-3)

- recommender systems

These are the results of the GPT-3 algorithm

Very interesting to see how bias may not be limited to human features

Thanks Silvina Pezzetta for sharing!

Original post

About the author

Federico Marengo is a lawyer, LLM (University of Manchester), and PhD candidate (Università Bocconi, Milano).?He is currently the founder of Qubit Privacy, a boutique consultancy firm that provides data protection and AI governance services.

He is the author of “Data Protection Law in Charts. A Visual Guide to the General Data Protection Regulation“. As a PhD researcher, his research deals with the potential and challenges of the General Data Protection Regulation to protect data subjects against the adverse effects of Artificial Intelligence.?

Federico also worked as an external consultant for Data Business Services and as a full-time data protection and AI consultant for TNP Consultants.

For inquiries, feedback or collaborations, please contact me at [email protected]