With the EU GDPR turning four years old this week, we thought it was only fitting to talk about what the next four years could look like for data protection. During the past 1,460 days, we have seen a dramatic shift in how data protection has been viewed by the ordinary person as well as by organisations who processA series of actions or steps taken in order to achieve a particular end. personal dataInformation which relates to an identified or identifiable natural person.. In the latter half of this time, the COVID-19 pandemic triggered a further transformation relating to how organisations handle personal data whilst their workforce pivoted to a full or flexi work from home model.
Clearly there have been huge changes over the last four years, and we believe that the next four will be no different in this respect, largely down to the vast array of new technologies that are becoming commonplace across all industries, truly transforming personal data processing, and therefore regulation needs to try to keep up. To celebrate the EU GDPR’s 4th birthday, we wanted to discuss two technologies that we believe are at the forefront of innovation and will become hot topics in data protection circles over the next four years: Artificial IntelligenceThe use of computer systems to perform tasks normally requiring human intelligence, such as decision-making, speech recognition, translation etc. (AI) and Blockchain.
AI is the new emerging technology that is slowly stepping into many business models across the globe. Personal data processing powered by AI, is to a degree already regulated by the data protection laws already in existence, however, it is quickly becoming apparent that the capabilities of AI mean that it does need further regulation or, at least, further clarification around how existing laws apply to it. Therefore, in the next four years we fully expect to see Data Protection Authorities issuing working-guidance on how to ensure AI systems can remain compliant with both the EU and UK GDPRs. This will likely cover data anonymisation, data sharing, explainability and accountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance., and respecting data subjectAn individual who can be identified or is identifiable from data. rights, particularly Article 22, something we have discussed in one of our previous blogs.
Aside from existing legislation, we expect to see a raft of additional legislation being proposed and entering into force over the next four years in relation to AI. There is currently a global push to regulate AI technologies, with different countries offering different solutions to the problem. It is likely that this ‘AI push’ will see the development and implementation of ‘Explainability Frameworks’ and further assessments, like Algorithm Impact Assessments, to ensure that AI systems are not discriminatory in nature and can meet the accountability and explainability principles data subjects in the EU and UK especially, have come to expect. The EU has already in 2021 published a draft AI Act which it is hoped will enter into law in the coming years; and the UK set out its National AI Strategy for becoming a global AI superpower, which includes plans to revolutionise the governance of AI. We believe that the EU and UK are leading the way for AI regulation and, as with data protection regulation, the rest of the world will in time follow suit by creating AI regulations of their own.
For more information on data protection in the context of AI, read our blog post on the five key considerations for using AI technology.
Blockchain and digital distribution ledgers
Blockchain is best known as the technology that facilitates crypto currencies like Bitcoin. It is used as a way of enabling and recording transactions in a way that is extremely difficult to alter, therefore allowing a trusted record of transactions to be kept. But blockchain technology has the potential to be used in many more ways, and with its increased use it is likely to raise data protection concerns and therefore attract additional regulation.
In terms of crypto-currencies, these are already the focus of ongoing regulation efforts by the world’s financial institutions. In the EU, draft Market in Crypto-AssetsThe MiCA rules provides a strong legal framework for crypto-asset markets to develop within the EU by defining the rules around their use, especially regulatory framework that is not covered in existing financial legislation. The MiCA rules aim to curb threats will boost crypto’s potential. You can read more about these rules and their progress here. (MiCA) rules are in the process of being created, and it is anticipated that other countries will soon follow suit. However, how blockchain in general will impact data protection is an area that is at the moment fairly unexplored.
Blockchain, on the face of it, is likely to cause some conflicts with current data protection laws and so we anticipate that there will likely be some legislative developments in this area, or at the very least, guidance issued by authorities on how the two interact. Because blockchain is de-centralised in its nature, this conflicts with the accountability requirement set out in data protection legislation and the need to be able to identify the data controlling and processing parties within a processing relationship. Similarly, data protection rights such as the right to be forgotten and the right to rectification, are too at odds with the core nature of blockchain technology.
For all of its issues, blockchain could also provide data protection benefits given that it is designed to enable data-sharing without the need for a central trusted middleman. It also offers transparency to those who have access to the block, and block-sharing can help automate data sharing, which could help influence the push for economic policies and incentives behind data-sharing. If the potential inconsistences between the use of blockchain technologies and data protection lawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of Personal Data. can be ironed out in the next few years, the European Parliament itself has suggested that we could see a huge change to data transfers if blockchain becomes a serious consideration to legislative bodies.1
With the ever-changing nature of technology and the advancements being made, we think that governments and regulators will start to embrace these new technologies and will slowly start issuing guidance and legislation on these matters. Without support and guidance from these bodies, organisations conscious about compliance are likely to be hesitant to utilise these new technologies to their full potential, given the uncertainty that currently reigns. We therefore believe that the next four years will see a concerted push to make sure that the right regulation and knowhow is in place to ensure that organisations and member states are ready for this new digital age and can make best use of these technologies.
If any of these areas affect your organisation and you want to be ready for the next four years, don’t hesitate to contact us by filling in the form below.
Fill in your details below and we’ll get back to you as soon as possible