Written by Joel Engardio for AJ Shankar, CEO of Everlaw
Published in Legal Tech News

What GDPR in Europe Means for the Future of AI and U.S. Regulation

Companies that control or process the personal data of customers living in the European Union are racing to comply with Europe’s new General Data Protection Regulation (GDPR). They have until May 25, 2018 to abide by the most stringent data protection legislation the world has seen — and nearly half of companies are not on pace to make the deadline, according to a recent Gartner report.

The ever-changing nature of technology can make it difficult for entrepreneurs to comply with the regulatory process. While next year’s GDPR replaces regulation from the dawn of the Internet in the 1990s, it could quickly become just as outdated.

The popularity of Artificial Intelligence (AI) and machine learning raises even more questions. Will strict regulation like GDPR impede the pioneers of an AI future? Or is government regulation a good way to ensure companies are more thoughtful in how they approach their work?

At Everlaw, we anticipate potential outcomes for our AI, and design controls to mitigate problems in advance. GDPR is the first law our compliance director has seen that touches on cybersecurity and data protection from an AI perspective. While no regulation can anticipate every need or keep up with the fast-paced technology industry, GDPR is as thoughtful as it can be. It is an excellent opportunity for software vendors who agree that keeping your customers safe makes good business sense.

In 2017, Everlaw began implementing GDPR for a client whose data is hosted in Germany, and we’ve learned a lot in the process about how sensible regulation can benefit any company. It’s shown our team what AI regulation could be like in the U.S., and provides perspective on ways smart policy makers and AI vendors can mitigate regulatory impacts on business development, while preparing for potential new laws:

What could government regulation look like for AI or machine learning?
Before we see robots entering our homes and offices, as depicted by the doomsday scenario of “Westworld,” we will most likely see regulation address transparency and fairness issues. This includes bias and discrimination based on personally identifying information.

The Fair Credit Reporting Act is one example in the U.S. of regulating automated data processing and decision-making. The news of Equifax’s security breach notwithstanding, the intention of the law is to protect the fairness, accuracy and privacy of the personal information collected by credit agencies. Similarly, the GDPR provides a scope and limits on automated data processing and consumer profiling. A key feature of the regulation is the examination of a consumer’s "right to explanation," or right to be informed where decisions are made based solely on automated processing.

What are ways to mitigate regulatory impacts?
Software vendors looking to get ahead of these requirements may use a higher level of “explicit” consent for obtaining personal data. Smart managers will de-identify data with anonymization and pseudonymization. Likewise, building privacy as a product feature, aka “data protection by design” in GDPR’s terminology, will future-proof your system’s compliance. Under these structures, directly identifying data is held separately and securely from processed data to ensure non-attribution, adding a layer of compliance with GDPR.

Prior to designing the system, you may consider subjecting your protocol to peer review. Questions to consider during this process include a) Do I need to collect Personally Identifiable Information (PII) in the first place? b) What is it being used for? c) Can it be replaced, or is it unique to my model? Like data protection by design, smart managers will recognize this protocol’s value in protecting your system against further regulatory shifts.

How can companies prepare for potential regulation?
Regulation and compliance are a balance between art and science. Take time to discuss how a regulation could apply to your company. Once you have settled on a protocol, document both it and the rationale to pass future audits or other types of scrutiny. Prioritize the protocol’s enforcement in real practice. Enactment in real life is more important than a process on paper. As with any area of regulatory compliance, it’s worth taking the time to ensure this program is successfully implemented. A smart manager is willing to wear lots of different hats to get the work done.

Nearly 40 percent of American voters say they believe the tech industry will create the most jobs in the next decade, according to the U.S. Chamber Technology Engagement Center. But there is also rising concern about how the industry will use personal information, especially in automated and AI contexts. That’s why it is important to have a healthy balance between innovation and useful government regulation. There is a very productive middle ground that both respects individual privacy preferences and creates real value for users.

When it comes to AI, we should not let a fear of robots prevent the benefits newly efficient systems can provide. We can welcome thoughtful regulation to ensure AI helps people enjoy more productive lives.