WASHINGTON — As advances in artificial intelligence (AI) unleash innovation and productivity to the benefit of consumers and companies around the world, new data privacy rules in the European Union threaten to put Europe at a competitive disadvantage. According to a new report released today by the Center for Data Innovation, the EU must amend its new General Data Protection Regulation (GDPR), which is set to go into effect in May, or it will constrain the development and use of AI in Europe.
“The GDPR is the wrong framework for AI and the digital economy—both in Europe and everywhere else. It’s AI-limiting provisions do little to protect consumers and may, in some cases, even harm them,” said Nick Wallace, the Center’s senior policy analyst and the report’s lead author. “Failing to amend the GDPR to reduce its negative impact on AI will all but consign Europe to second-tier status in the emerging algorithmic economy."
While many uses of AI do not involve personal data, those that do will be subject to GDPR compliance. Consumers who routinely interact with AI-enabled services will be significantly affected, as will virtually every company in Europe that processes personal data—such as for payroll. By limiting how personal data can be used and raising the legal risks for companies active in AI, the GDPR will negatively impact its development and use by companies in Europe.
The report identifies specific aspects of the GDPR that will constrain AI, and it offers a series of recommendations for how to improve the regulatory environment without reducing consumer protections:
- Simplify the GDPR.
- Remove the right to human review of algorithmic decisions.
- Make the rights to review and explanation technology-neutral.
- Clarify the “meaningful information” obligation.
- Curtail the right to erasure.
- Allow repurposing of personal data that poses no risk to the data subject.
- Amend data-portability rights to account for costs.
- Make fines for breaching GDPR rules proportional to harm and culpability.
- Provide clearer guidelines for de-identifying data.
- Authorize uses of AI in the public interest.
“Forcing consumers and companies to choose between data protection and innovation is unnecessary, but amending the GDPR is the only way to solve for the damage its rules will certainly cause,” said Daniel Castro, the Center’s director and co-author of the report. “The EU wrote the GDPR at a time when most policymakers knew little about AI and even less about its potential economic impact. Rather than take a victory lap when the GDPR comes into effect, the Commission should immediately begin work on GDPR 2.0 to mitigate its harmful impact and create data protection rules suited for the emerging AI economy.”