It has been a year and a half (May 2018) since the General Data Protection Regulation (GDPR) was created to protect the privacy of individuals within the European Union (EU). EU citizens have the right to know what information is collected and how it is used and shared, as well as the right to correct and delete data, and the ”right to be forgotten”. GDPR expanded the definition of “personal data” and imposed stricter security on data processors and controllers. In addition, organizations now have a 72-hour window in which they must notify the supervisory authority in the event of a breach. GDPR is a regulation with penalties for enforcement. According to the European Data Protection Board (EDPB), 281,088 “cases” were reported by Data Protection Agencies (DPAs) in 27 European Economic Area (EEA) countries in the first 12 months. Evidence that GDPR has been taken very seriously.
As you can imagine, a lot of the details are being hammered out in the courts. The fines can be as large as €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater. As a result, a large data companies like Facebook and Google are in the courts a lot as different aspects of GDPR are being tested.
Google has been fined 50 million euros by the French data regulator CNIL, for a breach of the EU's data protection rules. The regulator said that people were "not sufficiently informed" about how Google collected data to personalize advertising. It was too hard for people to understand how their data was being used. The CNIL also imposed a penalty of €100,000 on Google for its refusal to remove objectionable search results from the localized editions of its search engine around the globe and not just from its European versions. However, the Court of Justice of the European Union (CJEU) mostly sided with Google, holding that it is only required to remove results from its European and generic editions, rather than globally, essentially putting territorial boundaries on the ‘right-to-be-forgotten.” Google is facing even larger fines by the Information Commissioner's Office (ICO) as it is being investigated over leaking of customer data from its advertising platform. Some of the largest fines have been against Marriott and British Airways for breaches of data.
One of the lesser known areas covered by GDPR is the “Right to Explanation”. GDPR Articles 13-15 and 21-22 specifies that when automated data processing and decision making is applied to a person’s private data he has a right to receive an explanation of how the decision was made. Automated data processing and decision systems typically use machine learning or AI. The intent is to force AI to explain its decision so that citizens can evaluate and correct any wrong or biased decisions and see how their personal data is used to generate results. AI can no longer be a black Box.
The right to explanation or explainable AI is a good thing, but the General Data Protection Regulation does not provide any specific format or content requirements. How many of us could understand the explanation of a “Random Forest Algorithm” that may have been used to arrive at a decision? It is like the Google case above where people were "not sufficiently informed" about how Google collected data to personalize advertising. Maybe it was not about being sufficiently informed. Maybe it was about not having the capacity to understand the disclosure. There will inevitably be a court case and the lawyers and judges will define the requirements.
Explainable AI (XAI) is an active area of research in Hitachi. At our NEXT event in October, Yuichi Yagawa the general manager of our Central Research Lab showed some of the work we are doing in XAI and how we are working with Sumishin Net Bank and Dayta Consulting to enable more people to get loans.
If you want to hear more about the state of this technology and other future technologies like Quantum computing and DNA storage please join Paul Lewis and I for a webinar for a look into the future on January 15 at 12pm EST.#Blog#Hu'sPlace