Number of Articles – 4
1. Decisions taken by AI:
The ICO and ATI have been consulting with the public and industry with a view to drafting practical guidance for businesses on how to explain their AI decisions (‘Project ExplAIn’).
The interim report says that the content of AI explanations will depend on context – specifically the use case and the user.
If a decision can be challenged or the person can receive feedback, explanations are more important. For example, in recruitment or criminal justice, having AI decisions explained will be a priority for the job applicant or defendant. But in healthcare settings, patients will be more concerned with getting a quick and accurate diagnosis than an explanation of how the AI technology reached its conclusion.
The interim report suggests several contextual factors, including:
• Urgency of the decision
• Impact of the decision
• Ability to change factors or influence the decision
• Scope of bias
• Scope for interpretation in the decision making process
• Type of data used
A ‘one size fits all’ approach is unlikely to be successful in delivering appropriate explanations. The report suggests a hierarchy of explanations might work, allowing individuals to choose the amount of detail most relevant to them. This would align with the GDPR’s emphasis on giving people ‘meaningful information’.
2. Hungary: GDPR fines given for delayed breach notification and inappropriate screenings
NAIH imposed a fine of HUF 100,000 (EUR 310) on an unnamed social and child welfare institution for late notification of a data breach. The organisation had sent nine letters to incorrect recipients, containing sensitive information on 18 individuals, including contact information for children and their families, criminal-record data and information related to child-protection proceedings.
The NAIH also issued its highest data protection fine (HUF 30,000,000 or EUR 100,000, representing 2.3% of the company’s net revenue) for “Sziget”, one of Hungary’s largest multicultural music and arts festivals. The violation concerned the festival organiser’s procedure for the security screenings of hundreds of thousands of festival guests by photocopying IDs and taking photos at the entry gate.
The NAIH disputed whether individuals voluntarily consented to such screenings since this data processing was necessary for each guest to obtain services and attend the festival. In other similar cases, primary services cannot be subject to consent for the underlying data processing, and companies must rely on another legal basis to justify it.
This paper highlights the costs and risks of remaining on those systems, reasons to consider more modern alternatives, and key considerations to keep in mind.
Explains some of the issues with legacy electronic content management systems.
The problem with these legacy systems is that they were never designed to quickly adapt to changing business dynamics. Never intended to be extensible beyond their core capabilities. Never built with today’s complex integration requirements in mind.
What they were designed to do was simple – securely store a digital copy of a business record, and index it so that it can be located and retrieved at a later date as part of a business process or in response to an ad-hoc request.
In their day, legacy information systems were beautiful in their simplicity. Business records were either scanned or captured electronically, then converted to something like a multi-page TIFF, or JPEG, or PDF, and then dumped into an electronic version of a paper file cabinet. In order to be able to retrieve it again, a very minimal amount of information or “metadata” was assigned to it.
Organizations would spend time considering how they would normally search for that document in a paper-based world and they replicated it electronically. They would identify things like Customer Number, Policy Number, Account Number, Customer Name & Address. Perhaps a few other variables would be identified and stored as well such as Received Data, Scan Date, Index Date, Processed Data. A few other bits of information might be captured such as Contact Source to indicate the information arrived via eMail, Fax, In-Bound Mail, Web-Form, etc.
But the idea was to keep the information as minimal as possible–just the bare essentials needed to search and retrieve the information. Any other information related to that digital documents belonged somewhere else, perhaps in a line-of-business application. So, today not only do organizations have digital files scattered across the enterprise, they are realizing that the data related to them are scattered as well.
Since their inception, legacy information systems have evolved very little from their original premise of store and retrieve. Today, this lack of innovation has become problematic. Yes, there has been the occasional new function or feature released over the years. And yes, the overall ecosystem has grown to include things like Capture, Records Management, Business Process Management, and Corporate Correspondence to name a few. But the core of all that is ECM– the repository–and its associated data has remained unchanged since day one. Also unchanged is the fundamental value proposition: put something here; slap a little metadata around it, and have the piece
4. EDPB Guidelines on Territorial Scope
Data controllers or processors subject to the GDPR as per its Article 3(2) are under the obligation to designate a representative in the Union. A controller or processor not established in the Union but subject to the GDPR failing to designate a representative in the Union would therefore be in breach of the Regulation.
Provides guidance on various aspects of a ‘representative’ including:
a) Designation of a representative
b) Exemptions from the designation obligation
c) Establishment in one of the Member States where the data subjects whose personal data are processed are
Obligations and responsibilities of the representative