Public consultation on the ethical principles of Artificial intelligence

The European Commission has published the results of the public consultation on the ethical principles of Artificial intelligence.

Can you imagine being part of the decision makers behind the ethical choices of those people who serve us in shops and establishments? For example, imagine going to the bank to ask for a credit card and being able to discuss with the one in charge of the ethical reasons to grant or deny your request. Or, for example, imagine parents asking the headteachers the human rights he or she has taken into account to decide whether or not their child should be enrolled. It would be crazy to think about a society where every single action is judged according to imposed ethical values used as a benchmark to determine what type of house one should have or what countries one should travel to, similar to the famous chapter of the Black Mirror series.

Well it may not be as crazy as we imagine, something similar is in the process of elaboration on the part of the European Commission, but it is not applied to people but to artificial intelligence. This is less striking because the ultimate goal of artificial intelligence is to resemble as much as possible human behaviour, but with the advantages that automation implies. In this sense, it is necessary to provide Artificial intelligence with certain ethical values that wrap their actions and decisions in a minimum of moral norms that allow their insertion into society.

For this purpose, a group of experts on Artificial Intelligence published on the 18th December a report on the ethical basis that must be present in systems that incorporate artificial intelligence (you can read a summary of the document here). The key initiatives include the establishment of framework ethical principles and practical implementation of solutions, in both cases from the “human-centric approach”, which prioritises civil, political, economic and social status of the human being.

The draft was exposed to public consultation, and now the Commission has published the results of it, which you can access here. The final document is expected to be published in March, in order to create an ethical commitment to which companies and institutions can freely adhere to.

If you need advice on your AI product, Aphaia offers both AI ethics and Data Protection Impact Assessments.

Italian DPA, Facebook and Cambridge Analytica

Italian DPA’s investigations have shown additional instances of unlawful processing in the Facebook and Cambridge Analytica case.

The Italian Data Protection Authority (Garante per la protezione dei dati personali) is ready to impose sanctions on Facebook in connection with the ‘Cambridge Analytica case’.

Apart from the data transmitted to Cambridge Analytica, the investigation found out that Italian nationals’ data acquired through the ‘Thisisyourdigitallife’ app were processed unlawfully because no appropriate information had been given and no specific consent was obtained. The Garante might initiate a separate proceeding in this regard, which could result in an administrative fine.

Furthermore, the inquiry found a software product called ‘Candidati’ [Candidates] installed on Facebook’s platform, failed to properly inform users of its data-collection practices and purposes. The social media platform shared the information with third parties on the eve of the Italian national elections, including sensitive data like political opinions.

The fact-finding inquiries reveal that Facebook based the data processing in a general consent declaration that was not specified, informed and unambiguous, which is not in line with GDPR requirements.

The Italian DPA reserved the right to sanction due to the unlawful processing activities of personal data. Given that Facebook’s main EU establishment is in Ireland, both Garante and Irish supervisory authority are cooperating in order to take action as appropriate.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.

Spanish National Cyber-security Incident Notification and Management Guide Overview

Spain has become the first country in the European Union to have a single framework for the notification and management of cyber-security incidents.

The Spanish National Cyber-security Incident Notification and Management Guide approved by the National Cyber-security Council is a technical document that creates a benchmark in terms of notifying and managing cyber-security incidents within Spanish territory. They are addressed both to the public and private sectors and they standardise the criteria in this field.

The Guide establishes a “one-stop” notification mechanism, that implies the incidents shall be reported only to the relevant institution (CSIRT): National Cryptologic Centre of the National Intelligence Centre (CCN-CERT) when it comes to the Public Sector and the National Cybersecurity Institute for the Private Sector (INCIBE-CERT).

The Guide comprises a classification system for the incidents, which are sorted into ten different categories: abusive content (e.g. Spam), harmful content (e.g. Malware), information gathering (e.g. Network traffic monitoring), intrusion attempt (e.g. Access to credentials), intrusion (e.g. Compromised applications), availability (e.g. DDoS), compromised information (e.g. lost data), fraud (e.g. Phishing), vulnerable (e.g. Weak cryptography) and other.

Each incident will be associated to a particular level of danger, which will be defined relying on the risk that the incident would involve for the affected organisations’ systems if it was materliased. There are five levels of danger, namely: critical, very high, high, average and low. Additionally, the Guide sets up an impact indicator in order to assess the consequences post-incident for the organisation or company activities and systems. Depending on this indicator, the impact will be critical, very high, high, average, low. There is an extra category called “no impact”, where no damage at all has been caused as a result of the incident.

As for the cyber-security incidents management, the Guide establishes a six-steps process to prevent these incidents and properly tackle them in case they take place. The phases are described as follows: preparation (e.g. updated policies), identification (e.g. network monitoring), containment (e.g. information assessment and classification), mitigation (e.g. recovery of the latest backup copy), recovery (e.g. restore the activities) and post-incident actions (identification and analysis of the origin of the incident and the costs).

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessment, and Data Protection Officer outsourcing.

Anti-encryption Australian law and GDPR

The new controversial Australian anti-encryption law allows the government to access encrypted data.

On the 6th of December 2018, the Australian Parliament approved an anti-encryption law that collides with some essential principles in privacy in a global way, and directly with GDPR.

Under this regulation, Australian companies will be obliged to construct “backdoors” or back access doors to information in such a way that it is available to the Government, while being required not to communicate the existence of such System to the users or customers, nor is it done in any other public way, under penalty of imprisonment. In this way, companies will be compelled even to falsify data for audits that could reveal such vulnerability.

What then happens to international customers of Australian software companies? Users now rely on the implementation of end-to-end encryption, but this feature will need to be modified to allow government access to the data being processed, implying that any information on the Clients, including those related to a security breach, with confidential environments or intellectual property elements.

This regulation adds an additional risk to the disposition of the information by the Government; it presents many technical threats and introduces international regulatory compliance challenges as well.

In this way, the application of the new anti-encryption law will generate complete uncertainty in the users whose data are stored on Australian software platforms, because they will not be able to know if the treatment is completely safe or is subject to vulnerabilities, since the government vetoes these companies even withdrawing from their web pages the encryption notices.

This situation will prevent any responsible or manager in the EU from assessing compliance and adaptation to the GDPR of an Australian company, which will create obstacles to the use of the respective platforms or tools, in accordance with article 28 of the GDPR.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessment, and Data Protection Officer outsourcing.