AI and Data Privacy: US and European Privacy Laws

With the growing interest in artificial intelligence (AI) and the promise it holds for business and consumer applications comes an important question: What about privacy? During this program we will delve into the potential conflict between AI and privacy and consider the varying rules and regulations that may apply, from both US and European privacy law perspectives.

Key Takeaways: Can AI and Data Privacy Coexist?

On a Collision Course?

Artificial intelligence (AI) can magnify the analysis of personal information in ways that may intrude on privacy. Individual data pieced together through an algorithm could highlight a person’s buying patterns, or even make determinations about their health.

Privacy Rights

We have seen the proliferation of data privacy regulations and guidance being enacted across Europe and the United States. One of the most sweeping regulations is the EU General Data Protection Regulation (GDPR), enacted in 2018 and currently mirrored by the United Kingdom’s own GDPR post-Brexit.

The GDPR is very important in the context of AI. But, while there are guidelines in place across the United States, there is no comprehensive federal legislation. Individual states have introduced their own privacy laws, with some similar to the GDPR.

Specific guidance relating to AI is in place in the United Kingdom and European Union, with further regulation expected in the future.

Anonymization

A solution for AI projects? Approaches vary and the GDPR makes a distinction between anonymization—the process of permanently removing personal identifiers—and pseudonymization—a technique that replaces or removes identifying information in an individual’s data set but that can be reidentified. Neither approach is acceptable. Under the California Consumer Privacy Act, if data can be reidentified, there is a possibility that the data is usable.

Data Acquisition

Consider vendors that work with, indirectly handle, or have access to sensitive data from multiple companies. It is important to have a privacy policy in place to clarify what, how, and why data will be collected, and with whom is it shared.

Security Measures

In the United States, different state laws provide rules for reasonable security provisions, but keep in mind that sector-focused laws may also apply, requiring written information security plans, encryption, and training.

The GDPR does not have a prescriptive requirement for technical and organizational measures to protect personal data, although contracts may require certain security standards. Note that GDPR data processing agreements must include security obligations.

Plan Ahead

It is important to consider data privacy when undertaking an AI project or business plan. There may be consequences tied to the data you have access to, so take steps to mitigate any potential exposure.