The European Data Protection Supervisor (EDPS) could face a critical response from MPs in its next parliamentary mandate, with key parts of the region's data protection and privacy regime under attack from industry lobbyists. I was warned that there would be.
Wojciech Wiewiorowski, the head of the regulator that oversees compliance with data protection rules by European Union institutions, warned on Tuesday: “We are making a very strong attack on the very principles.” . He was responding to questions from members of the European Parliament's Human Rights Committee who were concerned about the risk of watering down the European Union's General Data Protection Regulation (GDPR).
“What I especially want to say is that [GDPR] Minimization principles and objective limitations. Purpose limitations will no doubt be called into question in the coming years. ”
The GDPR's purpose limitation principle implies that data operations must be linked to a specific use. Further processing may be possible, but this may require, for example, obtaining permission from the owner of the information or another valid legal basis. Therefore, a purpose-restricted approach introduces intentional friction in data manipulation.
Parliamentary elections are due in June, and the European Commission's mandate expires at the end of 2024, so a change in the EU executive is also imminent. Changes in approach by incoming MPs could impact the EU's high standards of protection for national data.
Although the GDPR only came into effect in May 2018, Wiewiorowski, who crystallized his views on future regulatory challenges at a lunchtime press conference following the publication of the EDPS annual report, said that the next He said the composition of parliament would include a small number of members. Major Privacy He was involved in drafting and passing the framework.
“Those who will work in the European Parliament will see the GDPR as a historic event,” he said, adding that questions remain among incoming parliamentarians about whether this landmark legislation is still fit for purpose. I expected that there would be a willingness to discuss it. But he also said that every time the composition of an elected parliament changes, the process of reconsidering some of the past laws repeats itself.
However, he highlighted industry lobbying, particularly complaints from companies targeting the GDPR's Purpose Limitation Principle. Wiewiórowski said some in the scientific community believe this element of the law is a limitation of the study.
“There are certain expectations from some people.” [data] Air traffic controllers said they will be able to reuse the data collected for Reason A to find things we aren't even looking for. ” “There is an old saying from a company representative that purpose restriction is one of the greatest crimes against humanity, because we need this data, but for what purposes will it be used? Because I don't know.
“I don't agree with that. But we can't close our eyes to the fact that this question is being asked.”
Any changes from the GDPR's purpose limitations and data minimization principles could have significant privacy implications in regions that are passing comprehensive data protection frameworks for the first time. The EU is still considered to have the strongest privacy rules anywhere in the world, but the GDPR is creating a similar framework elsewhere.
GDPR includes an obligation on those who wish to use personal data to process only the minimum amount of information necessary for the purpose (also known as data minimization). Furthermore, personal data collected for one purpose may not be reused for another purpose without permission.
But now, as the industry as a whole develops increasingly powerful generative AI tools, there is a massive scramble for data to train AI models, which goes directly against the EU's approach. It is a driving force.
OpenAI, the creator of ChatGPT, is already facing problems here. The company faces a number of GDPR compliance issues and investigations, including one related to its alleged legal basis for processing people's data for model training.
Wiewiórowski did not explicitly say that it was generative AI that caused a “powerful attack” on the GDPR's purpose limitation principle. However, he cited AI as one of the key challenges facing data protection regulators in the region as a result of fast-paced technological developments.
“Issues related to artificial intelligence and neuroscience are going to be the most important part of the next five years,” he predicted of early technology challenges.
“At the point of the AI revolution, the technical part of our challenge is very clear, even though it is not so much a technological revolution. There is rather a democratization of tools. But at the same time, Russia's war in Ukraine “In times of great uncertainty like we are currently living in, we must also remember that technology is developing every week,” he said.
War has played an active role in promoting the use of data and AI technologies, with AI playing a major role in areas such as satellite image analysis and geospatial intelligence, for example in Ukraine, but in other parts of the world. Wiwiorowski said battlefield applications are driving the spread of AI. . He further predicted that the impact would be felt throughout the economy in the coming years.
Regarding neuroscience, he pointed to regulatory challenges arising from the transhumanism movement, which aims to improve human performance by physically connecting people to information systems. “This is not science fiction,” he said. “[It’s] what's happening now. And we need to prepare for that from a legal and human rights perspective. ”
An example of a startup targeting the idea of transhumanism is Elon Musk's Neuralink, which is developing a chip that reads brain waves. Facebook owner Meta is also reportedly working on an AI that can interpret people's thoughts.
Privacy risks in an era of increasing convergence of technological systems and human biology can indeed be significant. Therefore, the weakening of EU data protection laws due to AI is likely to have short-term and long-term consequences for people's human rights.