Closed engin-bozdag closed 1 year ago
Two options: 1) you revise GDPR section to ensure it aligns with GDPR. I am also happy to take a stab here if you want me to send a pull request with edits 2) Remove GDPR reference and stick to FIPP's (access, correct, minimization, accuracy, consent, purpose specification and use limitation, security, transparency).
Thanks very much, Engin. I knew I could count on you. Wow, covering algorithm privacy is a slippery slope for sure. I just processed your most urgent comments and will pick the rest up later. I didn't cover article 25 because the guide is not meant to discuss engineering for privacy in general. It already states that, but I should make that more precise and refer to some external guidance on this (e.g. article 25).
Engin has delivered on these issues
The GDPR section is incomplete and contains some errors. Further, GDPR is only one of the privacy legislations available. There are other legislations that have more strict rules than the GDPR. Adding examples of issues:
"Mostly the discussion is about human rights aspects that are not about privacy in the sense of data protection per se. For example, the right to equal treatment is often discussed around AI, but it's not a privacy issue as it does not concern data protection directly." This is not true if you follow EDPB Guideline from 2019. Quoting: "Fairness is an overarching principle which requires that personal data should not be processed in a way that is unjustifiably detrimental, unlawfully discriminatory, unexpected or misleading to the data". So, there is an expectation of non-discrimination under the GDPR. Also see https://iapp.org/news/a/what-is-the-role-of-privacy-professionals-in-preventing-discrimination-and-ensuring-equal-treatment/
Art 22 not only requires human oversight, but also the ability to contest the decision. Rec. 71 also refers to "obtain an explanation of the decision reached after such assessment". What this explanation is unspecified (global vs local explanations)
You state that "the GDPR does not restrict the applications of AI explicitly" and refer to Art 6. First, if an AI application is under the scope of Art 22 (automated-decision making) and if sensitive data is involved (Art 9), then not all options under Art 6 is allowed
At the start of the Section How to deal with AI privacy , you discuss 6 principles from Art 5 of the GDPR, but you only apply three of them to AI.
You omit other GDPR requirements such as Art 25, which requires appropriate technical and organizational measures, including pseudonymization, which is highly relevant for the GDPR