Machine Learning and The GDPR Is More Than Just Profiling Activities

The Multi jurisdictional Scope of The EU GDPR. Waiting for The USA To Be Global
January 14, 2019
European GDPR Update 8 Months After Implementation. Stay Calm and Implement
January 14, 2019
The EU General Data Protection Regulation, known as GDPR, is the most critical change in data privacy regulations in the 21st century, and it will have a significant impact on many aspects of data collection and processing activities of data of EU residents and will affect not only EU companies but also multinationals that operate in EU.

Profiling in GDPR safeguards the right of the data subjects, not to be subjected to decision making based solely on automated processing, including profiling. GDPR further focuses on the legal effects concerning the data subject right to be informed about the existence of automated decision-making in rge profiling activity. The EU residents have the right to receive meaningful information about the logic involved, as well as the implication and the foreseen consequences of such processing.

Data Protection and Privacy will impact of using machine learning to conduct profiling of individuals

GDPR explores the machine learning applications that are relevant to data protection rights and obligations including the implications for the development and deployment of machine learning systems and how personal data are collected and used.

One possible and significant effect of GDPR on Machine Learning is the “right to an explanation”.

Machine learning, together with big data, IoT, and algorithms. in connection with the implementation of Data Protection and Privacy will impact of using machine learning to conduct profiling of individuals in the context of the GDPR.

Machine learning also needs to be referenced to the compliance component of the first data protection principle of lawful, fair, and transparent processing means in the context of using machine learning for profiling purposes. We ask whether automated processing is utilising machine learning, including for profiling purposes, might offer benefits and not merely present challenges about fair and lawful processing.

What Does The GDPR Say?

Article 22 addresses automated decision-making specifically:

the data subject shall have the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

The three exemptions when they apply to process:

  • Vital for entering into, or the performance of, a contract between the data subject and a data controller;
  • When authorised by a union or member state law and when the controller ensures suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
  • is based on the data subject’s explicit consent.

Article 13 provides provision for the data subjects right to an explanation of the logic involved. GDPR does not forbid profiling. However it requires the accountability and transparency in operations and the accuracy of data. The data subject will always have the right to opt out. There are several  other articles where GDPR requires an explanation of the decision made by a machine learning algorithm to protect the data subject.

What Is Machine Learning?

Machine learning is a field of computer science, closely related to computational statistics. It has many applications which include adaptive websites, bioinformatics, computer networks, computer vision including object recognition, information retrieval, internet fraud detection, marketing, online advertising, search engines and more. Even before the GDPR came into play, there were a lot of ethical questions surrounding machine learning. From those worried humans will lose their jobs once AI takes over, to those who say there’s no way we can trust robots to make decisions, those against machine learning have always let their voices be heard. Now we add to that the paragraphs dedicated to automated-decision making and profiling in the GDPR. The new regulation does not prohibit these activities, but it does restrict the elaborate applications.