chess-board.jpeg

Data & AI in Europe : is there a real strategy ?

Written by:

Fouad Talaouit-Mockli

Charlotte Ledoux

Reading duration:10 min

2022-10-18

Our assessment of the situation

The importance of privacy is recognised worldwide, yet there is still no internationally agreed definition of what privacy actually is.

In 1948, the members of the United Nations adopted the Universal Declaration of Human Rights, Article 12 of which sets out the right to privacy: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” The notion of correspondence could here refer to the exchanges that one can have today by email or by other applications.

Countries have therefore been free to interpret this standard as they wish. Consumers, concerned about the respect of their privacy in view of the abuses concerning the use of their personal data, have however strongly encouraged States to provide new legal frameworks. Thus, in recent years, legislation around the world has accelerated on the subject, with the arrival of major texts:

  • The General Data Protection Regulation (GDPR), which came into force in May 2018, aims to protect the privacy of European citizens by relying on the principle of Privacy by Design. This involves integrating the concept of personal data protection right from the design stage of projects.
  • The EU Cookie Directive, adopted in 2011, is an adaptation of the European Union (EU) e-privacy directive. It stipulates that Internet users must be informed and give their consent before certain cookies are stored and read, while others are exempted from consent. The directive applies to all EU countries, as well as to websites owned by European companies and international sites that cater to EU citizens.
  • The Privacy Shield, adopted in 2016, is a framework to regulate transatlantic exchanges of personal data for commercial purposes between the EU and the US. However, the European Court of Justice declared it invalid on 16 July 2020 (we will be following this closely!).
  • The Cloud Act, enacted in March 2018, allows US law enforcement agencies to obtain from telecom operators and cloud service providers the electronic communications data stored on their servers, whether located in the US or in foreign countries.
  • The California Consumer Privacy Act, a law passed in 2018 designed to strengthen privacy rights and consumer protection for residents of California, USA.
  • The Health Insurance Portability and Accountability Act (HIPAA), whose privacy rule came into effect in 2003 in the United States. It establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses and health care providers that conduct certain health care transactions electronically.
  • China’s Cybersecurity Law, implemented in 2017, as well as the Personal Information Security Specification of 2018, came into effect to strengthen data protection, data localisation and cybersecurity in the interest of national security.

To delve deeper into the legislation by country, we recommend this very useful tool on the CNIL website which maps the different levels of data protection globally.

Whatever the country concerned, supervisory authorities exist to support, verify their application and possibly sanction companies. This legal framework makes it possible to limit and curb the mad rush for data. Companies are therefore gradually turning to data brokers to buy data and thus improve their customer knowledge and services. These data brokerage companies collect massive amounts of user data (name, address, health information, salary, credit, purchases, religion, etc.), often without the knowledge of the individuals concerned. Data brokers are today engaged in a tightrope walk, playing with legality and justifying their existence by an economic utility (helping to develop new services) and a public utility (security and defence).

data-players-mapping.png

The different perceptions of data among cultures is striking.

For example, the main data brokerage companies are American and they consider data as a commodity, far from the ethical relationship that European countries have. The US also continues to emphasise states’ rights in its governance, and advocates a bottom-up approach to data privacy. This approach has implications for the potential uses of artificial intelligence (AI). Thus the US encourages innovation through AI, and recommends a hands-off approach to AI regulation rather than a legal approach based on moral values.

In short, the US has minimalist privacy and data protection and allows AI to maximise the profitability and efficiency of companies.

China, on the other hand, has more recently initiated its data protection regulations. But China has a dual objective: to force companies to protect personal data while allowing the government to access this data. Indeed, there is still no meaningful privacy protection against government intrusion. As a result, Chinese AI is optimised to maximise the government’s hold on the population and preserve power.

The EU’s stricter view on the subject of data protection, and in particular the European Commission’s proposal of Digital Markets Act, is perceived at an international level as protectionist. This draft legislation aims to limit the dominant position of large American and Chinese technology companies. Overall, the EU seems to prioritise regulation over innovation.

In our view, the international context for the protection and use of personal data is very uneven. There is no global coherence and framework.

The limits for the EU

The GDPR is the strictest text in the world in terms of data protection imposed. However, the text is vague and leaves room for interpretation. Many law firms have taken up the subject to find ways around it and allow companies to collect data under the guise of a legitimate interest.

This is felt on the user side: according to the RSA Data Security & Privacy Survey 2019, 45% of respondents said their personal information had been compromised at least once in the last five years. Filing complaints with the CNIL is possible and has increased by 62.5% since the implementation of the GDPR. These administrative procedures are nevertheless complex and give little visibility on the resolution time.

In 2020, the CNIL carried out 247 checks, a figure that seems very low compared to the 2,700,000 French companies in existence. However, companies are trying to catch up and comply by increasing their budgets on these subjects.

The European legislative framework does have the advantage of providing principles and guidance for organisations to protect personal data and thus adopt a responsible and ethical approach. This provides organisations with a set of criteria to assess and implement where appropriate.

However, data protection principles put a strain on AI possibilities, such as purpose limitation and data minimisation. This impacts the training of algorithms as it requires large volumes of data.

In addition, the European Commission has very recently proposed a regulation¹ for trusted AI with an approach based on risk levels of applications, although it cannot limit the use by governments of harmful AI technologies (except for the use of surveillance by states).

In such a regulatory context, innovation becomes challenging, as legislators are constantly reacting to innovations in data and AI — but no one can anticipate everything. More frequent interactions with professionals in the sector would nevertheless be relevant in order to avoid turning an innovative company into an outlaw overnight.

This emerging over-regulation thus tends to complicate innovation through AI in the EU, placing it in a position of technological inferiority at the global level.

France and Germany want to get back in the game and are proposing to create a European data infrastructure, called Gaïa-X², whose first cloud services are expected in September 2021. Gaïa-X is an association that aims to provide a secure and trustworthy catalogue of cloud services, allowing both the porting of applications and the sharing of data from one provider to another.

The consortium is independent but includes non-European members such as Alibaba Cloud, Amazon Web Services, Google Cloud and Microsoft Azure. If the idea of European sovereignty in technological fields is a pious hope, in fact European software and hardware manufacturers are absent from the project, and public funding benefits non-European players.

More recently, the French government announced the decision **to create a trust label for digital companies specialising in data storage. **This “trusted cloud” label will be issued by ANSSI (Agence nationale de la sécurité des systèmes d’information) and aims to guarantee the sovereignty of stored data. However, non-French companies will also be able to receive this label, provided that they respect certain rules such as locating their data in Europe and marketing their offers via “French cloud providers”. Non-European members of Gaïa-X will have to receive this label in order to offer their services.

Thus, Gaïa-X will indeed guarantee data sovereignty but will not increase European technological know-how and skills.

These initiatives highlight Europe’s difficulty in finding its place at a global level, between undesirable protectionism and over-regulation generating an administrative maze for companies.

Tomorrow: a new ecosystem, new players

The European Commission’s proposal for a Data Governance Act (DGA) could reshuffle the cards in the ecosystem and encourage the emergence of new players. Let’s first look at the 3 pillars of this proposal:

  • Making protected data held by the public sector available for re-use
  • Strengthen trust in data sharing by regulating data reuse through a neutral and transparent data sharing intermediary
  • Create certification for “data altruists” who voluntarily provide data of general interest (e.g. to help research)

The supervisory authorities now need “relays” in order to extend their scope of intervention and accelerate awareness at all levels of the ecosystem. These private bodies certified by the supervisory authorities could therefore take the form of data sharing intermediaries, as described in pillar 2 above.

What role for the data sharing intermediary?

The data sharing intermediary should be a trusted third party that brings together data producers and data consumers. Trust in these intermediaries still needs to be strengthened in order to reassure companies of their neutrality and their technical capacity to manage transfers in a private and secure manner.

The DGA therefore plans to oblige data sharing service providers to declare themselves, to create mandatory conditions for the provision of services (transparency, interoperability, etc.) and to monitor compliance with the provisions.

In the future, these intermediaries will facilitate the private and secure sharing of data between players, thus enabling them to expand their available data assets.

tomorrow-data-players-mapping.png

We are convinced that these trusted third parties will also have the task of tracing exchanges, protecting the data exchanged and thus providing proof of compliance in the event of an audit. Data will then become a circular product for companies, allowing them to collaborate on common projects.

Common learning and working pots on data could be made available by intermediaries. These spaces will allow collaborative work on shared algorithms between several players.

But is this enough to recreate a bond of trust with users? There is no proof or label at company level that would reassure users.

One possible answer is that these sharing intermediaries could award AI trust labels, based in particular on the requirements of the forthcoming European Commission regulation.

Following the example of organic labels, one could imagine a panel of certified bodies issuing labels according to certain specific criteria (ethics, interpretability, etc.) controlled every year, for example.

Another idea is that, in addition to complying with transparency standards, AI algorithms could be subjected to tests, similar to those required for new drugs, before being approved for public use.

We are convinced that tomorrow’s model is based on a circular and virtuous management of data based on multiple trusted private actors allowing interconnections between companies.

Towards international coordination?

The acceleration of European regulation seems to have triggered a global rethink, particularly for China and the United States. There is indeed an evolution of their regulations on personal data protection, which are partly inspired by the principles of the GDPR.

As far as AI is concerned, future frameworks and regulations will be closely linked to the protection of personal data, thus determining the possible uses. Today, everyone legislates and regulations are often contradictory from one country to another, and not interoperable. There is a risk of fragmentation and isolation of networks and access to Internet services in the long term.

What is specific to each country and even to each company is the notion of ethics³. Companies have taken the step of drafting ethical charters to describe their guidelines for AI, according to their own value system. This dimension must remain a local choice and cannot be coordinated internationally.

But it would be relevant to have an international framework for data protection and AI based on a universal definition of privacy.

The OECD principles go in this direction and propose to establish an** international standard⁴**, based on common values. In May 2019, the proposals of the expert group set up resulted in these principles which have been endorsed by more than 40 countries to date. This work has emerged alongside initiatives by other countries to create AI governance frameworks.

We believe that it is indeed essential **to align principles and methods to strengthen the intelligent, secure and private sharing of data and models on a global scale, in order to create value and solve the great challenges of humanity **(the Covid crisis has demonstrated this need more than ever!).

Companies need recurring user data from a business point of view anyway. The legal framework obliges them to respect the collection and use of personal data.

As for data transfers, new rules have emerged very recently. The European Data Protection Board (EDPB) published on 18 June 2021 its final recommendations on transfers of personal data to third countries to comply with EU data protection rules, following the cancellation of the Privacy Shield. In sum, some data transfers to third countries will simply not be legal. Given the globalised society in which we live, many companies will find it very difficult to comply with these new requirements, which still do not allow a valuable international coordination.

In the international framework we imagine, interoperability and transparency on transfers would be a must. Flows would have to comply with the major international principles established and guarantee the security and privacy of the data exchanged.

And this in order to create a world that innovates thanks to data, respects and stops making users feel guilty, putting them back in the position of informed consumers.

  1. Europe fit for the Digital Age: Commission proposes new rules and actions for excellence and trust in Artificial Intelligence
  2. GAIA-X : a federated data infrastructure for Europe
  3. A citizen’s guide to AI by John Zerilli, February 2021
  4. AI & Privacy: how to find balance by Punit Bhatia, April 2021