Data privacy
Data privacy considerations in the context of AI systems are critical, especially given the explosion in the volume and complexity of data generated and processed by organizations across industries worldwide. As we delve into the era of big data and advanced analytics, traditional data protection methods are no longer sufficient to safeguard sensitive information used for training AI systems or as inputs.
Compliance with data privacy laws is of paramount importance, and the risks to data privacy arising from AI systems are multifaceted:
- Scale and Transparency: AI systems are voraciously data-hungry and often opaque. Consequently, individuals have less control over what information is collected about them, how it’s used, and whether they can correct or remove personal data. The systematic digital surveillance prevalent in online products and services becomes even more pervasive with AI.
- Malicious Uses: Bad actors can exploit AI-generated data for nefarious purposes. For instance, generative AI tools trained on scraped internet data may memorize personal information about people, including relational data about their family and friends. This data can facilitate spear-phishing attacks, identity theft, or fraud. AI voice cloning, too, enables impersonation and extortion.
- Repurposing Personal Data: Personal data shared for one purpose can be repurposed for training AI systems without consent. Predictive systems, such as those used to screen job candidates or display housing advertisements, may inadvertently introduce biases in violation of existing laws and regulations.
AI technologies can also be used to enhance data privacy by automating security measures, detecting anomalies, and enabling granular privacy controls. However, organizations must be aware of the legal risks associated with AI use and consider appropriate action items when deploying AI tools that rely upon or process personal data.
Key legal risks / issues
1. Data Protection Laws and Regulations: Numerous laws and regulations, including the California Consumer Privacy Act and the European Union’s General Data Protection Regulation (GDPR), impose strict requirements on the collection, use, processing, and storage of personal data. Failure to comply with these regulations can result in significant fines and penalties. The intersection of AI and data privacy compliance is vital due to the inherent risks associated with the collection and processing of personal data by AI systems. Ensuring robust privacy practices is essential to mitigate these risks and maintain trust in AI technologies.
2. Data Security: Ensuring the security of AI systems and the data stored and processed by these systems is also of paramount importance. Data breaches can lead to legal liabilities, reputational harm, and a loss of consumer confidence. To mitigate these risks, organizations must implement and maintain robust security measures, including encryption, access controls and regular security audits. By adhering to robust data security practices, organizations can protect sensitive data, foster trust, and uphold the integrity of AI systems.
3. Vendor Management: Organizations increasingly rely on third-party vendors to provide cutting-edge AI solutions. However, this collaboration comes with a set of critical responsibilities, including thorough due diligence and comprehensive contracts that address the parties’ roles and responsibilities and the allocation of liability for legal risks including data privacy, information security, transparency and explainability, and ongoing monitoring and review.
Actions for consideration
1. Conduct a Privacy Impact Assessment: Prior to deploying AI systems, it is essential to perform a comprehensive privacy impact assessment. This assessment evaluates the potential privacy risks stemming from the collection, processing, and storage of personal data in the context of AI system use and deployment. By proactively identifying and mitigating these privacy risks, organizations can enhance their ability to comply with applicable data protection regulations.
2. Ensure Data Security: Diligently establish and uphold robust security protocols to safeguard AI systems and the data collected, processed and stored in connection with these systems. Security protocols should include, but are not limited to, encryption, access controls, routine security audits, data minimization, secure development practices, and user training and awareness. These security measures are essential to prevent unauthorized access, disclosure, alteration, or destruction of systems and sensitive information.
3. Vendor Management: When your company uses AI technology developed or licensed by third-party vendors, it is important to ensure that both the technology and the third-party vendor comply with applicable data protection regulations. Conduct due diligence on the vendor’s data protection practices, incorporate data protection requirements into vendor and third-party contracts, and implement mechanisms for monitoring and auditing vendors’ compliance.
Related contacts
Paula Barrett
Co-Lead of Global Cybersecurity and Data Privacy E: paulabarrett@eversheds-sutherland.com T: +44 20 7919 4634 View profile
Rachel Reid
Head of Artificial Intelligence, US E: rachelreid@eversheds-sutherland.com T: +1 404 853 8134 View profile
© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.
Share this page