The GDPR has now been in force for five years and the European Commission wants to improve the regulation in the first half of the year. In concrete terms, binding deadlines for forwarding complaints and a general processing deadline for complete complaint procedures are to be introduced.
The EU will regulate the topic of AI separately in the “AI Act”, whereby GDPR and AI are closely intertwined, as the ban on ChatGPT in Italy shows. Mark Molyneux, EMEA CTO at Cohesity, explains how companies can use the potential of AI for themselves, under controlled legal risk, and formulates four specific recommendations:
Legal, technical and ethical issues
“ChatGPT has made AI freely available to everyone and brought it into everyday life. This January, more than 100 million active users are said to have used the AI - two months after its launch. This makes ChatGPT the fastest growing consumer application in history, according to Reuters. And with every new version, this AI gets bigger and better. And with every new version, it raises more questions - legal, technical and ethical. Because there is a lack of transparency, no one from the outside can look into this black box.
The Italian government has decided to ban ChatGPT. According to the Italian public prosecutor, the AI violates the principles of the GDPR. The European states and their data protection authorities see it as their duty to take AI into account. It fits the picture that the facial recognition company Clearview AI was fined three times in the past year of up to 20 million euros. Privacy advocates in the UK, Italy and Greece felt this company and its AI was violating citizens' rights.
Violations of the GDPR
The overall picture is blurred, but there are clear tendencies that the use of AI with certain data creates legal risks when handling GDPR-relevant data. And the statistics show that the authorities in Europe continue to impose heavy penalties – especially against big data. From May 2022 to May this year, fines totaling €1,1 billion were levied – nine of the top ten fines were imposed on US tech giants.
The EU wants to regulate the legal situation more clearly in the AI Act. The Europe-wide AI law cleared the first hurdle on May 11 and is scheduled to be passed in the plenum in mid-June. It will take until 2024 for the law to actually come into force. And only much later does it become clear in the first cases how it actually works in practice. What is certain is that companies and their employees will face new tasks and obligations from a compliance perspective.
controlled risk
Nobody in the free economy can afford to wait until then. Companies and private individuals now need clear orientation. Because they want to use the great potential of this technology, the first companies are already doing it. There are four clear recommendations on how companies can approach this without causing legal risks and still not getting in the way of users. And at the same time to be positioned in such a way that the AI Act can be fully implemented without turning IT upside down:
- Always think about compliance: Whether the use of AI affects compliance simply depends on the application scenario and the data used. Anyone who wants to use AI in compliance with the GDPR should seek the advice of a data protection expert before introducing it.
- know data: Companies and their employees need to know exactly what data they are feeding the AI with and what value this data has for the company. Some AI providers deliberately delegate this decision to the data owner because they know the data best.
- Understand the content of the data: In order for data owners to make the right decisions, the value and content of the data must be clear. In everyday life, this task is gigantic and most companies have piled up mountains of information that they know nothing about. AI and machine learning can help massively in this area and defuse one of the most complex problems by automatically classifying company data. Predefined filters immediately fish compliance-relevant data such as credit cards or other personal details out of the data pool and mark them. Once loose on the data, this AI develops a company-related language, a company dialect. And the longer she works and the more company data she examines, the more accurate her results become. The charm of this AI-driven classification is particularly evident when new requirements have to be met. Whatever the AI Act brings, the ML and AI-driven classification will be able to search for these additional attributes and give the company a piece of future security.
- Control data flows: Once the data has been ranked and classified with the correct characteristics, rules can be automatically enforced by the underlying data management platform without the data owner having to intervene. This reduces the chances for human error and the risks. For example, a company could enforce that certain data such as intellectual property or financial data may never be passed on to other storage locations or external AI modules. Modern data management platforms control access to this data by automatically encrypting it and requiring users to authorize themselves using access controls and multi-factor authentication.
Do you have a moment?
Take a few minutes for our 2023 user survey and help make B2B-CYBER-SECURITY.de better!You only have to answer 10 questions and you have an immediate chance to win prizes from Kaspersky, ESET and Bitdefender.
Here you go directly to the survey
Conclusion: AI will transform the economy like the Internet did. Companies want their employees to use AI in innovative ways. AI itself has the power to tame AI by being able to examine the data and its content. This opens up many good ways for companies to control the use of AI without having to fear high risks and penalties.”
More at Cohesity.com
About Cohesity Cohesity greatly simplifies data management. The solution makes it easier to secure, manage and create value from data - across the data center, edge and cloud. We offer a full suite of services consolidated on a multi-cloud data platform: data backup and recovery, disaster recovery, file and object services, development / testing, and data compliance, security and analytics. This reduces the complexity and avoids the fragmentation of the mass data. Cohesity can be provided as a service, as a self-managed solution, and through Cohesity partners.