EU-Japan artificial intelligence cooperation

EU Vice-President Ansip and Japan Minister Hirai discussed bilateral cooperation to promote a human-centric approach to artificial intelligence (AI), building on the joint statement of the 26th EU-Japan summit.

European Commission Vice-President for the Digital Single Market, Andrus Ansip and Japan’s Minister of State for Science and Technology Policy, Takuya Hirai said after their meeting: “The speed of AI’s development and the global changes that it entails are at the heart of EU-Japan cooperation. It is not only important to advance and progress in AI, but also to develop and promote human-centric and ethical approaches in technologies as a basis for the development and deployment of AI. In this way, we can build trust, encourage people’s understanding and acceptance of AI and develop societies that embrace it.”

There are two publications available that are pronounced int his regard and show the direction that is intended to be adopted: “Japan’s “Social Principles of Human-Centric AI” and the European Commission’s Communication on Building Trust in Human-Centric AI.”

Both approaches share common values and aims. Japan has set out seven principles: (1) human-centric, (2) education, (3) privacy, (4) security, (5) fair competition, (6) fairness, accountability, transparency and (7) innovation. These will form the basis for creating a human-centric “Society 5.0” that can successfully combine cyber space with physical space. They go hand in hand with the seven key requirements that the Commission supports to develop AI that people can trust: (1) human agency and oversight, (2) technical robustness and safety, (3) privacy and data governance, (4) transparency, (5) diversity, non-discrimination and fairness, (6) environmental and societal well-being and (7) accountability.

“The EU is preparing to launch its new research and innovation programme, Horizon Europe. The new Japanese Moonshot Research & Development Programme, at the same time, promotes R&D for disruptive innovation and targets solutions to ambitious social and economic challenges. With the introduction of these new programmes on both sides, we expect EU-Japan cooperation in science, technology and innovation to increase in areas of mutual interest, in line with last year’s EU-Japan Strategic Partnership Agreement.” Said Commissioner Moedas and Minister Hirai.

They expect EU-Japan cooperation in science, technology and innovation to increase in areas of mutual interest.

If you need advice on your AI product, Aphaia offers both AI ethics and Data Protection Impact Assessments.

Unlawful voice data to be deleted!

A complaint from the Big Brother Watch instigated an investigation into HMRC’s Voice ID service. The ICOs investigation mainly dealt with the voice authentication for customer verification on some of HMRC’s helplines since January 2017.

Customers were given insufficient information when it came to how their biometric data would be processed. Biometric data is considered special category information and is subject to stricter conditions. They were also denied the opportunity to give or withhold consent, which is a breach of GDPR.

Steve Wood, Deputy Commissioner at the ICO, said:

“We welcome HMRC’s prompt action to begin deleting personal data that it obtained unlawfully. Our investigation exposed a significant breach of data protection law – HMRC appears to have given little or no consideration to it with regard to its Voice ID service”. “Innovative digital services help make our lives easier but it must not be at the expense of people’s fundamental right to privacy. Organisations must be transparent and fair and, when necessary, obtain consent from people about how their information will be used. When that doesn’t happen, the ICO will take action to protect the public.”

By now the ICO have issued its final enforcement notice, giving HMRC 28 days from that date to complete deletion of relevant biometric data records, held under the Voice ID system for which it does not have explicit consent.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.

Cookies, Security and Website tracking

The Dutch data protection authority has recently published its fining policy for violations of GDPR and the Dutch law implementing GDPR. When it comes to cookies, the Dutch DPA’s conclusion is that it is not compliant with GDPR for website pop-ups to block users from access to the site unless they consent to the use of tracking cookies.

Websites that only give visitors access to their site if they agree to place so-called ‘tracking cookies’ or other similar ways of tracking and recording behaviour through software or other digital methods do not comply with GDPR, according to the DPA.

“The digital tracking and recording of surfing behaviour on the Internet via tracking software or other digital methods is one of the largest processing of personal data, because almost everyone is active on the Internet. To protect privacy, it is therefore important that parties request permission from website visitors in a good way, ”says Aleid Wolfsen, chairman of the Dutch DPA.

“In this way people can make conscious and correct use of their right to the protection of personal data. If a website asks for permission for tracking cookies and if it is refused access to the website or service is not possible, people give up their personal data under pressure and that is unlawful. ”

If an individual cannot decide not to give permission without facing any consequences then it is not real free choice.

Letters have been sent out to businesses who had the most complaints against them and the Dutch DPA will intensify its monitoring to see whether the standard is being applied correctly in the interest of protecting privacy.

Furthermore, a guidanceregarding cookie walls has been published by the Dutch DPA.

Pursuant to GDPR Recital 32, “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data”. According to the Dutch DPA, the freely given requirement would not be met by a cookie wall, as it  means that the user has no choice but to consent in order to access the website. In this case consent would be an imposition instead of an alternative. The Dutch DPA suggests websites should offer meaningful options for users to access a website without consenting to tracking cookies, such as a on the basis of a payment for access model.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.

Svea Ekonomi ordered to correct its practices in the processing of personal data

Due to two cases concerning data protection, financial credit company Svea Ekonomi has to improve its practices when it comes to the processing of personal data related to the assessment of creditworthiness, the right of inspect one’s own personal data and notification practices.

One of the cases deals with the personal data of a data subject used to assess creditworthiness and the data subject’s right to inspect data concerning them.

The Office of the Data Protection Ombudsman continued to investigate the matter concerning the company’s notification practices upon its own initiative.  The Data Protection Ombudsman looked at the use of a categorical upper age limit in assessing creditworthiness, and stated that it is notacceptable under the definition of credit information set out in the Credit Information Act.

Svea Ekonomi was ordered to change the processing of personal data related to assessing creditworthiness. The data subject also needs to be provided with information on the logic employed in automatic decision-making, its role in making the credit decision as well as its consequences for the credit applicant, as, according to the Ombudsman, the company’s on-line credit decision service should be considered automatic decision-making of the kind referred to in Article 22 GDPR.

Pursuant to the Article 22 and recital 71 GDPR, “In any case, such processing should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision.

Furthermore, Svea Ekonomi’s notification practices related to the automatic decision-making system used to assess creditworthiness, was also investigated. The investigation found that the notification practices is insufficient in specifying the logic of data processing so that the credit applicant could understand the grounds for the decision and ordered that such notification practices be changed.

Svea Ekonomi had until the 30th April 2019 to implement the changes based on the Data Protection Ombudsman’s decision.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.