How the European Union’s GDPR Rules Impact Artificial Intelligence and Machine Learning
“This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.”
It’s no “We hold these truths to be self-evident…” but when the European Union (EU) drafted the General Data Protection Regulation (GDPR) that goes into effect on May 25, 2018, they definitely had individual freedoms in mind.
In this case, it’s freedom of individuals to control their personal data.
The GDPR is a broad regulation that outlines how companies may legally collect and use individual personal data—and what rights EU citizens have concerning their data.
It’s a major regulation with major effects. Companies that collect data from EU citizens must follow a number of regulations around collecting that data in order to legally use it. They must also respond to citizen requests to alter that data in certain circumstances.
Notes Elizabeth Juran, a consultant at marketing agency PR 20/20 (which powers the Marketing AI Institute):
“The GDPR is a European privacy law that protects consumers from unfair, unclear and unethical uses of their data. You may have noticed updates in your automation software or data collection tools like the one below from Google Analytics:
These aren’t your average skim-and-delete email notifications. The GDPR will change how we, as marketers, use data. Historically, companies haven’t been required to disclose information like the following:
- What kinds of data they store about consumers.
- What they’re using consumer data for.
- Why they ask for (or require) the data they do.
This is big for marketers of all stripes. But what effects might GDPR have on the use of artificial intelligence?
Turns out, a significant part of the regulation also deals with AI and algorithms. Like the rest of GDPR, the language may be construed broadly. No precedents have yet been set with the regulation. So a lot is up in the air as to what will actually be enforced and how it’ll be enforced.
GDPR and AI
According to the Brookings Institution, a US think tank:
The GDPR being implemented in Europe place severe restrictions on the use of artificial intelligence and machine learning. According to published guidelines, “Regulations prohibit any automated decision that ‘significantly affects’ EU citizens. This includes techniques that evaluates a person’s ‘performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.’” In addition, these new rules give citizens the right to review how digital services made specific algorithmic choices affecting people.
This statement alone creates substantial uncertainty if you know anything about artificial intelligence and machine learning.
Lots of AI systems run into the “black box” problem, in that they’re not very transparent about how their machine learning algorithms reach decisions. For consumers, this means you don’t necessarily know why AI may recommend what it recommends or take the actions it takes.
There’s no doubt the black box problem becomes troublesome the more AI is adopted in marketing and other industries. At some point, marketers will want some idea of how systems make decisions, especially as these systems recommend more sophisticated marketing actions.
For instance, if I have an AI system that prescribes how I should allocate my marketing budget, I’ll at least want some idea what inputs the system uses to make those decisions. (At least, I will if I need to explain any of this to my executive team or board.)
Does that mean you need to know exactly how the AI’s algorithms work? Probably not. But there’s a balance here that likely needs to be established.
Another problem, however, is that sometimes the creators of AI systems can’t always explain fully why AI makes its decisions. For sophisticated AI, like deep learning and neural networks, it is sometimes extremely difficult for the people who created these systems to pinpoint each and every step in the decision-making process.
Says AI expert Pedro Domingos, author of The Master Algorithm:
“The best learning algorithms are these neural network-based ones inspired by what we find in humans and animals. These algorithms are very accurate as they can understand the world based on a lot of data at a much more complex level than we can. But they are completely opaque. Even we, the experts, don't understand exactly how they work. We only know that they do. So, we should not allow only algorithms which are fully explainable. It is hard to capture the whole complexity of reality and keep things at the same time accurate and simple.”
Hard as it is to believe, he’s right. There may not be an easy way for an AI system’s creator to explain how the system works. In the meantime, regulations like GDPR that require such explanations may limit the amazing efficacy of these systems, Domingos points out:
“Let's take the example of cancer research, where machine learning already plays an important role. Would I rather be diagnosed by a system that is 90 percent accurate but doesn't explain anything, or a system that is 80 percent accurate and explains things? I'd rather go for the 90 percent accurate system.”
GDPR presents some interesting conflicts and considerations for the companies that build AI. Brookings notes that it could hold back AI development in the EU:
“If interpreted stringently, these rules will make it difficult for European software designers (and American designers who work with European counterparts) to incorporate artificial intelligence and high-definition mapping in autonomous vehicles. Central to navigation in these cars and trucks is tracking location and movements. Without high-definition maps containing geo-coded data and the deep learning that makes use of this information, fully autonomous driving will stagnate in Europe. Through this and other data protection actions, the European Union is putting its manufacturers and software designers at a significant disadvantage to the rest of the world.”
Now, a lot of the effects will utterly depend on how lawmakers within the EU interpret GDPR.
Somewhat ironically, it’s not at all clear how they’ll come to their decisions, as they operate in a bit of a black box of their own.
Disclaimer: We love talking about everything related to AI—even legal regulations—but we’re not lawyers, nor should this content be construed in any way as legal advice. We recommend all companies consult with legal counsel about GDPR-related questions and actions.
Here are some additional resources on the subject that may be valuable:
About Mike Kaput
Mike Kaput is a senior consultant at PR 20/20 who is passionate about AI's potential to transform marketing. At PR 20/20, he creates measurable marketing results for companies using data-driven strategies, market-leading content, and scalable marketing technologies. Full bio.