Implications of GDPR on AI and image recognition
GDPR, AI, image recognition: what are the main implications for your business?
AI is moving fast. And where technologies progress, regulations must evolve too. In fact, the European Parliament has decided to update personal data regulations to catch up with AI. Thus, we want to give you a grasp on what’s changing and how it can impact your business. Indeed, there are several important implications of the GDPR on your AI project and image recognition.
The new French general data protection directives will enter into force on the 25th of May 2018. They are a direct application of the European directives voted in 2016. Most importantly, from next May you will no longer need to make a deposition at the Commission Nationale de l’Informatique et des Libertés (CNIL) to make use of personal data. Indeed, you will have to ensure directly the conformity of your personal data with the directives.
So how does this impact computer vision and what actions should be taken?
The principles of the GDPR
Let’s first look at CNIL’s definition of personal data.
Personal data meansy any information relating to an identified or identifiable individual.
Defining if your information concerns an identified person is easy. But what about information related to an identifiable individual? One could falsely believe that if you can’t determine a person’s identity at first glance then it can’t be personal data. Yet it is possible to combine information from various sources to identify someone. If your data can help to do that, then it falls within the scope of the CNIL’s definition.
Let’s try an example. Imagine you have a picture of people walking down a street. You know the place and time but you don’t see their faces. It might be possible to retrieve the identity of the individuals by cross-checking their clothes, skin colors or physical dimensions to the time and place related to the pictures. If you are looking to build a computer vision system and your data meets the previous definition criteria then keep reading!
To comply with the law, you have two options: fulfill directive requirements or delete personal information in your dataset.
1. Meet the directive’s requirements
First, your data processing activities must fulfill a defined purpose. It is illegal to collect personal data without any reason or for an undefined future usage. For instance, a defined purpose could be to optimize autonomous driving thanks to cameras embedded in cars. Secondly, the collected data must be relevant to the purpose and strictly necessary for its completion.
Take a train company wishing to make train stations more secure by installing an automated weapon-detection system. This is a defined purpose. To do that, they will need footage of video surveillance cameras featuring users’ faces. This is personal data but it is relevant and necessary for achieving the objective.
Thirdly, your data processing activities must be limited in time and restricted to a relevant duration to achieve your objective.
Finally, you will need to obtain the consent of the individual whose identity is shown in your data. For instance, if you are filming people in a public space, you can inform them you are collecting data by putting up a sign or offering an alternative path if they wish not to be filmed.
If you cannot obtain consent, then keep reading to learn your last option.
2. Delete personal information
What if the easiest way to comply with the law would be not applying it? It’s exactly what you can do by anonymizing your data before processing it. To do so, there shouldn’t be any trace of personal information in your picture (or any other data type) that would allow identifying an individual. In computer vision, you would most likely anonymize data by putting a black box around the identifier for instance.
Do not forget the official definition of personal data! Blurring or erasing a single face is not always enough to overcome the presence of other personal information contained in the data. However, it is a very good practice encouraged by the CNIL that improves security and shows good will to ensure individual rights to privacy.
You can easily achieve anonymization with computer vision. By training a detection model specialized in recognizing faces or license plates, for instance, you can then automatically apply a black box or blur them. If you are interested in learning more about these last solutions, please do not hesitate to get in touch with us!
Artificial intelligence is a controversial topic from a legal standpoint. The new directives are the first step towards safe and ethical use of personal data to build intelligence systems. We should expect that further regulations in the near future. Lawmakers will probably keep a close eye on AI in the following years to ensure it doesn’t compromise the privacy of individuals and their safety and integrity.
For more information about the French Data Protection laws check https://www.cnil.fr/fr.