General information relating to the requirements for information and artificial intelligence
The GDPR requires that all processing of personal data shall take place in a manner that is legal, transparent and fair. When an undertaking collects and processes personal data, it pledges to provide the data subject with information regarding such processing. Use of artificial intelligence gives rise to certain particular issues concerning the information that must be provided to the data subject, because it is not always clear as to how an AI model has arrived at a result.
In this chapter, we will provide an overview of the general requirements for information in such instances. In the following chapters we will look at the requirements in the context of Ruter’s project.
Transparency and explainability
Transparency is a fundamental principle in the GDPR. In addition to being a prerequisite for uncovering errors, discriminatory treatment or other problematic issues, it contributes to increased confidence and places the individual in a position to be able to assert their rights and safeguard their interests. Transparency can also be of major value to the controller in order to create trust and to encourage customers to use new and complex technology.
The concept of ‘explainability’ is often used in connection with AI. This can be said to be a specific aspect of the transparency principle. Traditionally, transparency has been about showing how different items of personal data are used. However, the use of AI may require a different approach to explaining complex models in an understandable manner.
Explainability is an interesting topic, both because explaining complex systems can be challenging and because the way in which the requirement for transparency is be implemented in practice will vary from solution to solution. In addition, machine learning models can permit explanations that appear different to those we are used to, often based on advanced mathematical and statistical models. This opens the way for an important trade-off between a more correct, technical explanation or a less correct, but more understandable explanation.
Transparency requirement
Regardless of whether or not you use artificial intelligence, there are certain requirements for transparency when processing personal data. Briefly summarised, these requirements are:
- The data subjects must receive information on how the data is used, depending on whether the data is obtained from the data subject themselves or from others. We will discuss this further below. (See Articles 13 and 14 of the GDPR).
- The information must be easily accessible, for example on a website or via an application, and be written in clear and intelligible language. (See Article 12 of the GDPR).
- The data subject has the right to know whether data about them is being processed and have access to their own data if requested. (See Article 15 of the GDPR).
- It is a fundamental requirement that all processing of personal data must be done in a transparent manner. This means that an assessment must be carried out of what transparency measures are necessary for the data subject to be able to safeguard their own rights. (See Article 5 of the GDPR).
The first bullet point includes the contact details of the controller (in this case Ruter), the purpose of the processing and which categories of personal data will be processed. This is information that is typically provided in the privacy policy.
The GDPR requires that information provided to the data subjects is intelligible. It is therefore important to present the information in a manner that is clear and concise. A good means of achieving this is to provide the information in multiple layers, i.e. that one can click to obtain more information regarding specific topics. This avoids too much information being combined onto one page.
At the same time, having too many layers makes it more difficult to access the content. It is important that the information does not become overly fragmented and difficult to keep track of.
Automated decision-making
If processing can be categorised as automated decision-making or profiling according to Article 22 of the GDPR, there are additional requirements for transparency. This includes the right to know whether you are the subject of automated decision-making, including profiling. There is also a specific requirement that the individual is provided with relevant information concerning the underlying logic and the significance and the envisaged consequences of such processing.
The stronger requirement for transparency in connection with automated decision-making or profiling pursuant to Article 22 is referred to in:
- Article 13(2)(f) of the GDPR
- Article 14(2)(g) of the GDPR
- The European Data Protection Board’s (EDPB) guidelines on automated individual decisions and profiling
As we will return to below, additional requirements for transparency may also apply in connection with profiling that does not come under Article 22.
Requirements for information when obtaining consent
The information that is provided to the data subjects when obtaining consent may have an impact on the validity of the consent. As mentioned, the requirement that consent is informed is one of several conditions that must be met for the consent to be valid.
Ruter plans to use consent as the legal basis for processing personal data when developing the AI solution. Therefore, in the report, we further examine the requirements that are set for the information in order for the consent that is granted to be informed.
The requirement for informed consent is largely linked to the right to information as described in Articles 12–14 of the GDPR. There are some additional requirements when the processing is based on consent. If sufficient information is not provided to the data subjects, the consequence will be that the consent is invalid.
What information has to be provided in connection with obtaining consent?
The data protection regulations require that, at the same time as the request for consent is made, information must also be provided relating to:
- The right to withdraw consent.
- The identity of the controller.
- The purposes of each processing activity for which the personal data will be used.
In addition, on pages 15–16 of its guidelines concerning consent, the EDPB has listed the following minimum requirements for the content of information for consent to be deemed informed:
- information about the type of personal data that will be used
- information about the use of personal data for potential automated decision-making
- information about the possible risk of transferring personal data out of the EEA without an adequacy decision or necessary guarantees pursuant to Articles 45 and 46 of the GDPR.
The extent and type of information required for consent to be informed will vary. In some instances, it is necessary to provide additional information to what is mentioned above. The decisive factor is that the information will provide the data subjects with a genuine understanding of what they are consenting to.