It has recently become a common opinion that the European Union is the world leader in the field of data protection.
According to the CE CAHAI (Ad Hoc Committee on AI) Draft analysis of the Multi-Stakeholder Consultation (CAHAI-COG(2021)01[1]):
&hellip, many respondents from different continents and legal cultures praise the European General Data Protection Regulation (EU GDPR) as the most effective binding legal instrument and propose it as a model for the regulation of AI, they do not think the existing legal instruments either apply specifically to AI or prevent effectively violation of human rights, democracy and the rule of law (Q24). Examples of existing regulatory instruments provided in response to Q23 fall in one category or the other (p. 37).
The GDPR has an enormous influence worldwide and has become the most influencing law across the world and the model for different jurisdictions.
The GDPR puts the human and human rights first and provides well-balanced approach.
This year we can see that the EU shifts its comprehensive regulatory approach for data protection to the area of AI.
The EU consistently builds up its digital economy, and each piece of legislation plays the role of the next brick in this building. Therefore, each piece of legislation is fully coherent to others and provide the same principles.
April 25, 2018 the European Commission issued the AI Strategy (AI for Europe)[2], where it defined the meaning of AI, identified key problems in this area, established the main principles and worked out the plan for the future regulation. Alongside with AI Strategy the Coordinated Plan for the EU and the Member States was enacted.
It should be made clear that there are plenty of different approaches to define AI. Some of them are based on particular relevant technologies. But this approach seems to be too narrow and, as all technology-dependent definitions, prone to become outdated in future. So, technology-neutral approach seems much better.
The Commission as well as the High-Level Expert Group on AI provides a technology-neutral definition. According to this definition, AI refers to systems that display intelligent behaviour by analysing their environment and taking actions with some degree of autonomy to achieve specific goals.
AI-based systems can be purely software-based, acting in the virtual world (e.g. voice assistants, image analysis software, search engines, speech and face recognition systems) or AI can be embedded in hardware devices (e.g. advanced robots, autonomous cars, drones or Internet of Things applications).
We are using AI on a daily basis, e.g. to translate languages, generate subtitles in videos or to block email spam[3].
Currently when we speak about AI, in the vast majority of cases we mean machine learning, particularly deep learning. According to the European Commission, Deep learning has been a game-changer for AI with a tremendous improvement in performance for specific tasks such as image or speech recognition, or machine translation.
Training a deep learning algorithm to classify objects works by exposing it to a large number of labelled examples (e.g. pictures) that are correctly categorised (e.g. pictures of planes).
Once trained, algorithms can correctly classify objects that they have never seen, in some cases with accuracies that exceed those of humans.
Significant advances in these technologies have been made through the use of large data sets and unprecedented computing power[4].
April 8, 2019 the Commission issued the new Communication Building Trust in Human-Centric AI[5]. In this Communication the Commission emphasised the strengths of the EU legal framework, particularly the GDPR, and welcomed the Guidelines for Trustworthy AI drafted by the AI high-level expert group[6].
As the European Commission stressed, AI has the potential to transform our world for the better: it can improve healthcare, reduce energy consumption, make cars safer, and enable farmers to use water and natural resources more efficiently. AI can be used to predict environmental and climate change, improve financial risk management and provides the tools to manufacture, with less waste, products tailored to our needs. AI can also help to detect fraud and cybersecurity threats, and enables law enforcement agencies to fight crime more efficiently.
AI can benefit the whole of society and the economy. It is a strategic technology that is now being developed and used at a rapid pace across the world. Nevertheless, AI also brings with it new challenges for the future of work, and raises legal and ethical questions[7].
Thats why the High-Level Expert Group on AI of the European Union presented Ethics Guidelines for Trustworthy Artificial Intelligence where human agency and oversight was recognised as the first key requirement. Human agency and oversight means that AI systems should empower human beings, allowing them to make informed decisions and fostering their fundamental rights. At the same time, proper oversight mechanisms need to be ensured, which can be achieved through human-in-the-loop, human-on-the-loop, and human-in-command approaches[8].
April 21, 2021 the European Commission has presented its proposals for Regulation of the European Approach to Artificial Intelligence (Artificial Intelligence Act)[9]. The proposals for Artificial Intelligence Act are the draft of the first specified comprehensive law on AI in the world. It represents the most ambitious attempt to regulate AI technologies, setting out a cross-sectoral regulatory approach to the use of AI systems across the European Union and its Single Market.
With this regulation, the Commission aims to make the rules for AI consistent across the EU and thereby ensure legal certainty, encourage investment and innovation in AI, and build public trust that AI systems are used in ways that respect fundamental rights and European values. The Proposals intend to establish a human-centric legal framework and provide a risk-based approach. AI-systems are liable to be regulated depending on the level of potential risks for human rights and freedoms.
The draft includes GDPR-like sanctions up to 6.000.000 or up to 6% of total worldwide annual turnover for the preceding financial year, whichever is higher.
As it was stressed in the EU Strategy for AI, Communications and other Commissions papers, the AI Act is fully consistent with the GDPR and other data protection legislation.
The Commission tries to achieve the global leadership in the field of trustworthy and human-centric AI.
The current legal framework in the UK is very similar to the EU standards. In 2018 the UK fully implemented the GDPR into the domestic legislation via the Data Protection Act 2018.
The Data Protection Act 2018 (DPA 2018) and the General Data Protection Regulation (GDPR) both entered into force in May 2018. The GDPR was replaced by the UK General Data Protection Regulation (UK GDPR) following the UKs exit from the European Union. The Information Commissioner has a supervisory role towards implementation of the data protection legislation.
According to the European Union (Withdrawal) Act 2018:
– S. 5(4): The principle of the supremacy of EU law does not apply to any enactment or rule of law passed or made on or after exit day,
– S. 2: Saving for EU-derived domestic legislation,
– S. 3: Incorporation of direct EU legislation,
– S. 5(4): The Charter of Fundamental Rights is not part of domestic law on or after exit day,
– S. 7: EU Law retains (includes CJEU case law) and continues to be domestic law as an enactment of the same kind (s. 7(1)).
Therefore, a sufficient part of the EU law has become the part of the UK domestic law and remains it after the Brexit.
Plenty of the case law based on the European-like framework remains and are still binding.
And all these EU-rooted law comprises the legal basis applicable for AI in the UK.
But it should be born in mind that all EU legislation passed after the Brexit is not applicable in the UK, but on the other hand all binding EU-based law is not specified for the issues of AI, and that such instruments as Communications or guidelines are not binding at all.
June 28, 2021 the European Commission recognised the UK data protection legal framework as an adequate for EU standards[10] according to both the GDPR and the Law Enforcement Directive)[11].
The application term of both decisions are 4 years (sunset clause).
The European Commission stressed: The UKs data protection system continues to be based on the same rules that were applicable when the UK was a Member State of the EU. The UK has fully incorporated the principles, rights and obligations of the GDPR and the Law Enforcement Directive into its post-Brexit legal system.
With respect to access to personal data by public authorities in the UK, notably for national security reasons, the UK system provides for strong safeguards. In particular, the collection of data by intelligence authorities is, in principle, subject to prior authorisation by an independent judicial body. Any measure needs to be necessary and proportionate to what it intends to achieve. Any person who believes they have been the subject of unlawful surveillance may bring an action before the Investigatory Powers Tribunal. The UK is also subject to the jurisdiction of the European Court of Human Rights and it must adhere to the European Convention of Human Rights as well as to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, which is the only binding international treaty in the area of data protection. These international commitments are an essential elements of the legal framework assessed in the two adequacy decisions.
For the first time, the adequacy decisions include a so-called sunset clause, which strictly limits their duration. This means that the decisions will automatically expire four years after their entry into force. After that period, the adequacy findings might be renewed, however, only if the UK continues to ensure an adequate level of data protection. During these four years, the Commission will continue to monitor the legal situation in the UK and could intervene at any point, if the UK deviates from the level of protection currently in place. Should the Commission decide to renew the adequacy finding, the adoption process would start again.
Transfers for the purposes of UK immigration control are excluded from the scope of the adequacy decision adopted under the GDPR in order to reflect a recent judgment of the England and Wales Court of Appeal on the validity and interpretation of certain restrictions of data protection rights in this area. The Commission will reassess the need for this exclusion once the situation has been remedied under UK law.
But on the other hand, the UK legal system is unique and even when the UK was the EU Member State, the English courts interpreted and implemented the law in their own way according to the traditional English approaches (such as literal rule, golden rule, mischief rule, purposive approach and interpretation obligations according to the Human Rights Act 1998).
For instance, in 2019, the England and Wales High Court of Justice (EWHC) held the case (judicial review) R (On Application of Bridges) v The Chief Constable of South Wales Police [2019][12]. This case raises novel and important issues about the use of Automated Facial Recognition technology (AFR) by police forces. The central issue is whether the current legal regime in the United Kingdom is adequate to ensure the appropriate and non-arbitrary use of AFR in a free and civilized society. As Lord Justice Haddon-Cave and Mr. Justice Swift stressed in this case: By those measures, and through scrutiny by the Courts of the ways in which such information is gathered, used and retained, the law seeks to strike a sensible balance between the protection of private rights, on the one hand, and the public interest in harnessing new technologies to aid the detection and prevention of crime, on the other. This case as well as another important case Common Services Agency v Scottish Information Commissioner [2008][13] was held by Appellation Committee of the House of Lords (the highest court of the UK, 2009 replaced by the United Kingdom Supreme Court, UKSC) demonstrated some differences even in interpretation of basic concepts such as personal data, necessity and proportionality.
A key difference is the question of limitation of the public authorities access to personal data. The UK approach to this issue is much more flexible and relaxed.
Lord Reed (the current President of the UK Supreme Court) clearly explained the roots of this difference in R(T) v Chief Constable of Greater Manchester [2015] AC 49 at [88]: The United Kingdom has never had a secret police or internal intelligence agency comparable to those that have existed in some other European countries, the East German Stasi being a well-known example. There has however been growing concern in recent times about surveillance and the collection and use of personal data by the state. &hellip, But such concern on this side of the Channel might be said to have arisen later, and to be less acutely felt, than in many other European countries, where for reasons of history there has been a more vigilant attitude towards state surveillance. That concern and vigilance are reflected in the jurisprudence of the European Court of Human Rights in relation to the collection, storage and use by the state of personal data.The protection offered by the common law in this area has, by comparison, been of a limited nature[14].
When the UK was the EU Member State, the Information Commissioners Office (ICO) the national supervising authority in the field of personal data protection was one of the most active policy makers on AI across the EU. ICO together with the Government issued at least six papers addressed to different AI aspects based on the principles of EU legislation:
– An Ethics, Transparency and Accountability Framework for Automated Decision-Making[15],
– Guidance on developing Reproducible Analytical Pipelines in data science[16],
– A Code of Practice for Statistics[17],
– Professional good practice in quality assurance of code used in data analysis[18],
– A Technology Service manual, covering good practice in technology choice, development, integration, hosting, testing, security and maintenance[19],
– A Guide to Using AI in the Public Sector[20],
– Guidelines for AI procurement, which has extensive guidance on ensuring the teams responsible for procurement are highly competent in the commissioning and adoption of AI, understand ethical AI good practice, are as diverse as possible, and know how to make their work transparent and accountable[21].
6 August 2021 the ICO released its response to the European Commissions proposal for the Artificial Intelligence Act[22]. In particular, the ICO welcomed, among other things, the ambition to regulate the use of AI so that it is safe and respects existing law, fundamental rights and EU values. The ICO agreed that legal certainty is paramount in facilitating innovation. It is conscious that the standard practice for developing and deploying AI may create data protection risks such as non-compliance with the data minimisation principle or individual information rights under the GDPR.
The ICO also supported the risk-based approach to AI regulation, that the risk management system for high-risk AI should be a continuous iterative process requiring regular systematic updates, and the principle of identifying and taking action to mitigate risks in advance. In addition, the ICO added that it would like to understand how the Commission envisions Data Protection Impact Assessments might interact with the AI Act, as well as the decision not to propose the automatic creation of additional bodies to oversee the regulation.
Despite the UKs exit from the EU, the ICO noted that it remains committed to ensuring the high standards of data protection that protect individual rights while also enabling data to be used responsibly to deliver social and economic benefits.
Lastly, the ICO clarified that it will monitor any further developments from the Commission regarding the AI Act proposal and related frameworks and will contribute where appropriate.
March 12, 2021 the UK Department for Digital, Culture, Media & Sport announced the new UK AI Strategy as a new plan to make the UK a global centre for the development, commercialisation and adoption of responsible AI[23].
The new AI strategy will focus on:
– Growth of the economy through widespread use of AI technologies,
– Ethical, safe and trustworthy development of responsible AI,
– Resilience in the face of change through an emphasis on skills, talent and Research and Development.
By the end of the 2021 the Government hopes to complete and publish this strategy and detailed plan.
The Scottish Government in 2021 published its own strategy Artificial intelligence strategy: trustworthy, ethical and inclusive, which is based on the OECD principles and focuses on the strategic priority of delivering trustworthy AI[24].
Likewise the EU, the UK tries to achieve the global leadership in the field of AI to set the gold standard in AI professionalism. The mechanism to get there is the right regulatory framework that is genuinely pro-innovation, pro-competition, but pro-ethical innovation and fair competition.
The UK Government supposes that Brexit made UK free from the Brussels bureaucracy and regulatory burden. The Government declares that a key objective that would go a long way to building public trust in AI is for the government to ensure those practitioners who develop and deliver AI enabled products and services are highly competent, ethical and are accountable for their professional conduct. Moreover, it would allow the UK to show strong leadership in an area that currently is being led by the EU.
September 9, 2021 the Government announced that UK launches data reform to boost innovation, economic growth and protect the public[25].
The objectives of this reform are closely connected to the leadership in the field of AI.
The reforms should simplify data use by researchers and developers of AI and other cutting edge technologies.
The government wants to remove unnecessary barriers to responsible data use. This can help deliver more agile, effective and efficient public services and further strengthen the UKs position as a science and technology superpower.
As Digital Secretary Oliver Dowden said: The use of algorithmic or automated decision-making is likely to increase substantially in coming years. We want organisations to be confident that their AI-powered services are a force for good and will not inadvertently harm consumers.
Reforms to our data regime can also help ensure that organisations can better understand and mitigate the risk of bias in their algorithmic systems. These aim to help organisations identify what is driving bias, so that they can take steps to make sure their services are not inadvertently biased or replicating societal and historic discrimination, or drawing inferences that could be deemed unfair (for example, insurers predicting someones fitness levels from their purchasing habits)[26].
The new data protection framework will be built on key elements of the current UK data protection regime (General Data Protection Regulation (UK GDPR) and Data Protection Act 2018), such as principles around data processing, peoples data rights and mechanisms for supervision and enforcement.
However, the government recognises that the current regime places disproportionate burdens on many organisations. For example, a small hairdressing business should not have the same data protection processes as a multimillion pound tech firm. Our reforms would move away from the one-size-fits-all approach and allow organisations to demonstrate compliance in ways more appropriate to their circumstances, while still protecting citizens personal data to a high standard[27].
Government wants to build a new data regime based on common sense, not box ticking to cement UKs position as a science and tech superpower[28].
According to the proposals the Information Commissioners Office is to be reformed to help drive economic growth and innovation and strengthen public trust in use of data. As part of this, a new governance model is planned for the ICO, including an independent board and chief executive to mirror the governance structures of other regulators such as the Competition and Markets Authority (CMA), Financial Conduct Authority (FCA) and Ofcom.
This follows the selection of John Edwards as the governments preferred candidate as new Information Commissioner, who is currently serving as the New Zealand Privacy Commissioner[29].
Some of these proposals seem consistent to the reforms announced by Her Majesty the Queen during the State opening May 11, 2021[30] and explained in Her Majestys Speech Background Briefing Notes[31].
Therefore, the UK does not yet have its own specific legislation in the field of AI. Its current legal framework is mostly similar to the EU, generally GDPR-based. But the UK Government has entered into the race with the EU for the global leadership in the field of AI regulation. In seems that the UK will try to use the EU experience together with the advantages of the Common Law legal system.
[1] https://rm.coe.int/cahai-cog-2021-01-draft-report-msc-2763-7501-0051-v-1/1680a2e2d5
[2] Artificial Intelligence for Europe, Communication from the Commission to the European Parliament, the European Council, the Council, the European Economic and Social Committee and the Committee of Regions, Brussels, 25.4.2018 COM(2018) 237
[3] Ibid, p. 2.
[4] Ibid, p. 11.
[5] Building Trust in Human-Centric Artificial Intelligence, Communication from the Commission to the European Parliament, the European Council, the Council, the European Economic and Social Committee and the Committee of Regions, Brussels, 08.4.2019 COM(2019) 168
[6] https://digital-strategy.ec.europa.eu/en/library/ethics-guidelines-trustworthy-ai
[7] Building Trust in Human-Centric Artificial Intelligence, Communication from the Commission to the European Parliament, the European Council, the Council, the European Economic and Social Committee and the Committee of Regions, Brussels, 08.4.2019 COM(2019) 168, p. 2.
[8] https://digital-strategy.ec.europa.eu/en/library/ethics-guidelines-trustworthy-ai
[9] https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1623335154975&uri=CELEX%3A52021PC0206
[10]https://ec.europa.eu/commission/presscorner/detail/en/ip_21_3183
[11]https://ec.europa.eu/info/files/decision-adequate-protection-personal-data-united-kingdom-law-enforcement-directive_en
15 R (On Application of Bridges) v The Chief Constable of South Wales Police [2019] EWHC 2341 (Admin) (04 September 2019). http://www.bailii.org/ew/cases/EWHC/Admin/2019/2341.html
[13] Common Services Agency v Scottish Information Commissioner [2008] UKHL 47, [2008] 1 WLR 155 [Электронный документ]. URL: https://www.bailii.org/uk/cases/UKHL/2008/47.html (Дата обращения: 19.04.2021).
[14] T & Anor, R (on the application of) v Secretary of State for the Home Department & Anor [2014] UKSC 35 (18 June 2014), URL: http://www.bailii.org/uk/cases/UKSC/2014/35.html, Cite as: [2014] WLR(D) 271, [2015] AC 49, [2015] 1 AC 49, 38 BHRC 505, [2014] 4 All ER 159, [2014] 2 Cr App R 24, [2014] UKSC 35, [2014] 3 WLR 96
[15] https://www.gov.uk/government/publications/ethics-transparency-and-accountability-framework-for-automated-decision-making/ethics-transparency-and-accountability-framework-for-automated-decision-making
[16] https://www.blog.gov.uk/
[17] https://code.statisticsauthority.gov.uk/
[18] https://best-practice-and-impact.github.io/qa-of-code-guidance/intro.html
[19] https://www.gov.uk/service-manual/technology
[20] https://www.gov.uk/government/collections/a-guide-to-using-artificial-intelligence-in-the-public-sector
[21] https://www.gov.uk/government/publications/guidelines-for-ai-procurement/guidelines-for-ai-procurement
[22] https://ico.org.uk/about-the-ico/consultations/eu-proposed-artificial-intelligence-act/
[23] https://www.gov.uk/government/news/new-strategy-to-unleash-the-transformational-power-of-artificial-intelligence
[24] https://www.gov.scot/publications/scotlands-ai-strategy-trustworthy-ethical-inclusive/
[25] https://www.gov.uk/government/news/uk-launches-data-reform-to-boost-innovation-economic-growth-and-protect-the-public
[26] Ibid.
[27] https://www.gov.uk/government/news/uk-launches-data-reform-to-boost-innovation-economic-growth-and-protect-the-public
[28] Ibid.
[29] Ibid.
[30]https://hansard.parliament.uk/lords/2021-05-11/debates/BC29801C-46D0-4BBF-A1F2-9B2B46633134/QueenSSpeech, https://www.gov.uk/government/speeches/queens-speech-2021
[31]https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/985029/Queen_s_Speech_2021_-_Background_Briefing_Notes..pdf
