The government released a 10 year plan to “make Britain a global AI superpower”. Globally, AI is one of the fastest growing tech sectors and the government has been considering how best to unleash its full potential whilst taking into account a number of the legitimate concerns around personal data. This is a good example of the continued tension between the speed of innovation and the need for law and regulation to adapt and stay relevant to manage the risks.
UK GDPR currently prevents organisations taking decisions based solely on automatic processing where those decisions produce a legal or significant effect for an individual, unless the decision is a) necessary for the performance of a contract b) authorised by law or c) based on the data subject’s explicit consent. This makes the application of personal data in AI difficult, as it requires human input in reviewing which data is allowed to be used.
If AI advancement is to be prioritised, there is a need for a more AI centric approach and flexibility. The approach being taken is less adaptation of GDPR to AI needs and rather an adoption of AI legislation. The government has introduced the Data Protection and Digital Information (no.2) Bill and a white paper for a pro-innovation approach to AI regulation.
If enacted, automated decision-making will no longer be restricted to the three circumstances outlined above, unless the personal data is special category data. Rather, where significant decisions are made, the individual is to be notified afterwards, the individual must be able to make representations about the decision / obtain human intervention (e.g. a review) of the decision and the individual must be able to contest the decision. This is a paradigm shift in the current approach to the protection of personal data.
The government has significant ambitions for AI and has left itself further room to manoeuvre with the proposed legislation. The Secretary of State may have the right to amend a) what constitutes a significant decision and b) the safeguards for decisions taken through solely automated processing. The reason given for this is to allow flexibility, so the law keeps pace with advancing technologies and changing societal expectations of what a significant decision is, in a privacy context.
There is a difficult balancing act for the future between prioritising data protection or allowing leniency in the GDPR rules to promote AI development and innovation.