Privacy and AI: Protecting Individuals in the Age of AI

March 22, 2024

Darren Grayson Chng reviews a new book on the perils of privacy and AI

With AI continuing to be in vogue this year, the democratisation of publishing has led to content about AI of varying lengths and quality being published every day – journal articles, three-page law firm updates, LinkedIn posts linking to a webpage without saying much more. Some are wrought by the human hand. An increasing number I suspect, are written by AI.

Which raises the question: where now can you find a longer and more thought-out analysis of privacy issues in the context of AI? One source that I checked out was ‘Privacy and AI: Protecting Individuals in the Age of AI’.

This 301-page book aims to do three things: (a) discuss critical challenges posed by AI systems’ processing of personal data and how the European legal framework (as at December 2023) addresses these challenges; (b) propose alternative pathways to better protect the rights of individuals without stifling innovation; and (c) bridge the gap between the legislative and judicial interpretation, as well as the practical and operative aspects concerning personal data protection.

The first of the book’s five chapters takes the reader through concepts such as the definition of “personal data” in the GDPR, the definition of “AI system” in the 2021 Artificial Intelligence Regulation draft, and what the term “AI” covers such as, supervised and unsupervised machine learning. If you know these basics, you can skip this chapter.

Useful in Chapter Two is the discussion on what the GDPR processing principles require in the context of AI development, and specific challenges (and ensuring risks) that data controllers and AI developers or deployers may face, under Articles 5 and 6(1) of the GDPR. For example, when it comes to relying on consent as a lawful basis for processing, the book highlights an Italian case in which the Italian Court of Cassation ruled that consent is not valid if individuals are not adequately informed about the underlying logic and are then  subject to an automated decision-making system that may influence their rights.

Chapter Three covers the rights of data subjects whose personal data is processed using AI systems. A huge of space is rightfully devoted to Article 22 of the GDPR, the right not to be subject to a decision based solely on automated decision making which produces legal effects, safeguards, and exceptions to it. The chapter also touches on how other data subject rights and accountability mechanisms under the GDPR may affect the development or deployment of AI systems. It ends off by discussing general GDPR accountability mechanisms that controllers must comply with when processing personal data using AI systems.

Chapter Four, titled ‘Overcoming the Limitations of the GDPR’, deep dives into the challenges of ensuring transparency, fairness, and non-discrimination when processing personal data using AI systems.

The last chapter proposes seven measures to further mitigate the risks posed by AI systems: (a) establishing a register of AI systems or AI providers; (b) appointing an AI Ethical Officer to oversee AI ethics within the organisation; (c) standardisation of AI systems; (d) certification of AI systems; (e) establishing codes of conduct for AI operators, (f) empowering national public authorities to correct law-breaking behaviours; and (g) using Privacy by Design measures (which I would describe as privacy enhancing technologies) to reduce the identifiability of data e.g., anonymisation, encryption, synthetic data.

At the end of the book are two Annexes. Annex I contains a little more information on machine learning algorithms. Annex II contains a checklist that tests an organisation’s readiness to comply with the 2021 draft proposal for the Regulation of Artificial Intelligence (AI Act).

This book is generally written in plain English, so I think it is a rather useful starting point for anyone tasked with operationalising AI laws and guidelines, particularly those in the EU and UK. I for one enjoyed the book’s practical bent with references to the draft AI Act, legislation, caselaw, and non-binding instruments such as the UK Information Commissioner’s Office’s guidelines. Experienced professionals will be able to breeze through certain sections quickly, which nevertheless are useful for catching blindspots.

Darren Grayson Chng is a data and tech lawyer in Singapore.

About the book
  • Privacy and AI: Protecting Individuals in the Age of AI by Federico Marengo
  • Published August 2023
  • Paperback, 302 pages
  • €69.99

Available as an ebook from the author here at EUR 69.99 or hardcopy on Amazon here.