The European Data Protection Supervisor (EDPS) has warned that key planks of the bloc’s data protection and privacy regime are under attack from industry lobbyists and could face a critical reception from lawmakers in the next parliamentary term.
“We have very strong attacks on the authorities themselves,” warned Wojciech Wiewiórowski, head of the regulator that supervises the compliance of the European Union institutions themselves the data protection rules of the block, Tuesday. He was responding to questions from members of the European Parliament’s civil liberties committee The European Union’s General Data Protection Regulation (GDPR) is at risk of being undermined.
“Especially I mean it [GDPR] principles of minimization and limitation of purpose. The limitation of purpose will certainly be challenged in the years to come.”
The GDPR’s purpose limitation principle implies that a data function must be linked to a specific use. Further processing may be possible — but, for example, it may require obtaining permission from the person whose information it is or having another valid legal basis. Thus, the scope constraint approach introduces intentional friction in data operations.
Parliamentary elections are coming up in June, while the Commission’s term ends at the end of 2024, so changes are also looming in the EU’s executive branch. Any change of approach by incoming lawmakers could have implications for the bloc’s high level of data protection. people.
The GDPR has only been operational since May 2018, but Wiewiórowski, who outlined his views on the upcoming regulatory challenges during a lunchtime press conference following its publication EDPS annual reportsaid the composition of the next parliament would contain few lawmakers who were involved in drafting and passing the landmark privacy framework.
“We can say that these people who will be working in the European Parliament will see the GDPR as a historic event,” he suggested, predicting there will be appetite among incoming MPs to debate whether the landmark legislation is still fit for purpose. Although he also said that the review of previous laws is a repeated process every time the composition of the elected parliament is overturned.
But he especially emphasized the iindustry lobbying, especially complaints from businesses targeting the GDPR’s purpose limitation principle. Some in the scientific community also see this element of the law as a limit to their researchper Wiewiórowski.
“There is a kind of expectation from some of them [data] auditors that they will be able to reuse the data collected for reason ‘A’ to find things that we don’t even know we’re going to look for,” he said. “There’s an old saying from a business person who said that limiting purpose is one of the greatest crimes against humanity, because we’re going to need that data and we don’t know what for.
“I don’t agree with that. But I can’t close my eyes to the fact that this question is being asked.”
Any shift away from GDPR’s purpose limitation and data minimization principles could have significant privacy implications in the region, which was the first to pass a comprehensive data protection framework. The EU is still considered to have some of the strongest privacy rules anywhere in the world, although GDPR has inspired similar frameworks elsewhere.
Included in the GDPR is an obligation for those who want to use personal data to process only the minimum information necessary for its purpose (aka data minimization). Furthermore, personal data collected for one purpose cannot simply be reused, willy-nilly, for any other use that may occur.
But with the current industry-wide push to develop ever more powerful AI tools, there is a huge scramble for data to train AI models — a push that runs directly counter to the EU’s approach.
OpenAI, the maker of ChatGPT, has already run into problems here. It addresses a number of GDPR compliance issues and investigations — including those related to the claimed legal basis for processing individuals’ data for model training.
Wiewiórowski did not specifically blame genetic AI for driving the “powerful attacks” on the GDPR’s purpose limitation principle. However, he named artificial intelligence as one of the key challenges facing the region’s data protection regulators as a result of rapid technological developments.
“Problems related to artificial intelligence and neuroscience will be the most important part of the next five years,” he predicted of the emerging technological challenges.
“The technological part of our challenges is quite obvious in the era of the artificial intelligence revolution, despite the fact that this is not so much the technological revolution. Rather, we have the democratization of tools. But we also have to remember that in times of great instability, like the ones we’re having right now – with Russia’s war in Ukraine – that’s when technology is developing every week,” he also said.
Wars play an active role in promoting the use of data and AI technologies — such as in Ukraine where Artificial intelligence has played an important role in areas such as satellite imagery analysis and geospatial intelligence — with Wiewiórowski saying battlefield applications are driving AI adoption in other parts of the world. The effects will ripple through the entire economy in the coming years, he further predicted.
On neuroscience, he pointed to regulatory challenges arising from the transhumanism movement, which aims to enhance human capabilities by physically connecting people to information systems. “This is not science fiction,” he said. “[It’s] something that is happening right now. And we have to be ready for that from a legal point of view and from a human rights point of view.”
Examples of startups targeting transhumanism ideas include Elon Musk’s Neuralink, which is developing chips that can read brain waves. Facebook’s Meta-owner was too he was reported to be working on AI that can interpret people’s thoughts.
The privacy risks in an era of increasing convergence of technological systems and human biology could be serious indeed. Thus, any weakening of EU data protection law due to AI in the short term is likely to have long-term consequences for citizens’ human rights.