AI in all its forms

Legal Watch No. 52 – October 2022

On October 17, 2022, the CNIL confirmed, by sanctioning the company Clearview AI to the tune of 20 million euros, its competence as regulator in the field of artificial intelligence.

This sanction follows a formal notice that remained unanswered, and the company's lack of cooperation during the inspection procedure.

Taken following a consultation procedure at European level, it joins the sanctions pronounced by several of its counterparts against this same company.

• The CNIL notes the absence of a legal basis for the systematic and widespread collection of twenty billion images of faces publicly accessible on millions of websites, images marketed by the company in particular to law enforcement.
• The CNIL considers that, given its particularly intrusive nature and the biometric nature of the data, the collection should have been subject to the prior consent of the persons concerned.
• It also notes that the company does not respect the rights of access and deletion of the persons concerned.

This decision comes in a context of increasingly precise supervision of artificial intelligence at national and international level.

The Council of State thus adopted two documents at the end of the summer in which it pronounces on the governance of the future European regulation on AI:

In its document of August 30, 2022, the Council of State addresses the issue of the quality of public service and lays the foundations for a French strategy for AI.

Among other things, it encourages strengthening the powers of the CNIL and making it formally responsible for regulating AI systems.

He therefore recommends a transformation of the CNIL, which would become "the national supervisory authority responsible for the regulation of AI systems, particularly public ones, to embody and internalize the dual challenge of protecting fundamental rights and freedoms, on the one hand, and innovation and public performance, on the other."

On September 27, the Council of State also published a study concerning the supervision of social networks in the context of the development of AI, in which it makes 17 recommendations to rebalance the forces in favor of users, equip public authorities in their role as regulator and think about the social networks of tomorrow.

For his part, Parliament is looking into the issue of video surveillance and facial recognition: a fact-finding mission was launched on September 13 by the Law Commission of the National Assembly, and entrusted to Philippe Latombe, MP and member of the CNIL college.

Parliamentarians will have to understand "the challenges of using security images in the public domain to combat insecurity," and will look in particular at facial recognition.

This will involve taking stock of recently authorized devices such as body cameras and drones, and considering possible developments such as augmented cameras, with a view to producing a legislative proposal.

Let us also mention the opening of negotiations for a convention of the Council of Europe on artificial intelligence, human rights, democracy and the rule of law.

It would be the first legally binding international instrument on artificial intelligence.

This convention would complement the regulation on artificial intelligence proposed by the European Commission, by strengthening the protection of the fundamental rights of individuals.

THE European Data Protection Supervisor welcomed this initiative, while recalling the AI systems which, according to him, pose unacceptable risks and should be banned, namely:

• Social scoring,
• Biometric identification in public spaces,
• Categorization of individuals based on biometric data
• The categorization of individuals based on their perceived emotions.

It should be remembered that the AI regulation proposed by the European Commission supports this approach by prohibiting the most intrusive AI techniques, such as those that manipulate individuals or enable social scoring.

Still insufficient for the defenders of freedoms, and excessive for its detractors.

It should be noted that the United States sent a non-paper to several capitals and the European Commission at the end of October, aiming to convince them to limit the scope of the future regulations and to broaden their exceptions in order to maintain more flexibility in the possible uses of artificial intelligence.

The United States are also preparing AI regulations themselves: on October 4, President Joe Biden presented the “AI Bill of Rights,” which describes the five guarantees that Americans should benefit from:

• Safe and efficient systems,
• Protection against algorithmic discrimination,
• Data confidentiality,
• Notifications and explanations about how the AI works,

• Human alternatives to automated decisions.

Finally, it should be noted that data protection regulators from more than 120 countries have agreed on a framework for the use of facial recognition in the 44th World Privacy Assembly which was held in Istanbul at the end of October.

The resolution requires that the entity using the technology

• Establish “its reasonable, necessary and proportional character”,
• Assesses respect for the rights of individuals
• Ensures seamless use of technology.

Clear and effective accountability mechanisms must also be put in place.

And also

France:

Cybercrime: The Minister Delegate for Digital Affairs and the Minister of Health announced a budget of 20 million euros for the benefit of ANSSI to strengthen support for healthcare establishments that are victims of ransomware.

The CNIL publishes educational resources on its website to better protect children aged 8 to 10 on the internet.

These resources are intended for parents, children, teachers and educators.

The CNIL also updated its recommendation regarding password authentication on October 17.

In a context of increased threats to online security, the CNIL is developing in particular the usefulness of strong or multi-factor authentication solutions, and electronic certificates.

Europe:

The European Data Protection Board (EDPB) has adopted updated guidelines on data breach notification, open for public consultation until 11/29/2022.

The updated section concerns the notification of a security breach by a manager established outside the European Union.

The fact that this manager has appointed a representative in one of the EU countries does not, according to the EDPB, exempt him from extensive obligations: the text now specifies that "the mere presence of a representative in a Member State does not trigger the single window.

This is why the breach will have to be notified to each authority for which the data subjects reside in their Member State.

The Court of Justice of the European Union ruled in a judgment of 20 October that further processing consisting of the creation, from an existing database, of a database to carry out tests and correct errors, is authorized if

1. there is “a concrete, logical and sufficiently close link between the purposes of the initial collection and the subsequent processing”; and
2. further processing does not deviate from the legitimate expectations of subscribers.

In the case in question, the Court considered that such a close link exists. It recalls that the data must be deleted once the (secondary) purpose of the processing has been satisfied.

In a judgment of 27 October concerning the Belgian company Proximus, the Court rules on the obligations of directory providers when a subscriber withdraws his consent to the processing of his data.

The Court considers that the data protection authority may require a provider of publicly available telephone directories, as the data controller, to take appropriate measures to inform other data controllers (including the provider of the telecommunications service from which the data was communicated) of the withdrawal of the subscriber's consent.

The European Digital Markets Regulation (DMA) was published on October 12, 2022.

This text, which aims to "put an end to the unfair practices of companies that act as "gatekeepers" in the online platform economy", will apply from May 2, 2023.

It defines large online platforms as "gatekeepers" and establishes a list of prohibitions and obligations intended to "ensure fair and open digital markets."

The proposal for a European regulation on child sexual abuse (CSAR) is the subject of much criticism from civil society, and the launch of a “stop scanning me” campaign.

According to the NGOs concerned, the proposal, despite its laudable objectives, threatens to "fundamentally compromise secure online communication and make the internet less safe for everyone."

Law enforcement plans to use automated online scanning of private communications to target content related to child sexual abuse.

However, an investigation by the Irish Council for Civil Liberties (ICCL) reveals that the Irish police retain personal data – email, screen name, IP address – even for false alerts.

The huge number of false positives – fewer than 10 % reports are believed to be usable – could also prevent police from tackling the heart of the problem.

The Italian Data Protection Authority opens an investigation into an application that generates artificial voices (“deep fake”).

The authority has opened an investigation into the Fakeyou app, which allegedly converts text files into voices imitating those of famous people, particularly Italian ones.

Furthermore, the Italian consumer protection authority ruled that a sign depicting a stylised camera was insufficient to provide information on the use of video surveillance cameras and imposed a fine of 2,000 euros on the controller.

Irish authority The Data Protection Authority has made available on its website a compilation of more than 30 specific case studies it has dealt with, which are not included in its annual reports. The publication provides a better understanding of the authority's approach to topics such as employee monitoring, video surveillance, the notion of legitimate interest, and the compatibility of processing purposes.

The Dutch Court of Appeal in Arnhem-Leeuwarden upheld an injunction that a copyright regulator could not compel an internet service provider to send warning letters to suspected copyright infringers: the internet service provider has no legal basis to process personal data relating to criminal convictions and offenses.

The UK Data Protection Authority (ICO) communicates on biometric technologies such as emotion analysis technologies, which it says are immature and risk leading to discrimination.

Among the risks identified are monitoring workers' physical health using portable screening tools, and visual and behavioral observation, including body posture, speech, eye movements, and head movements, to register students for exams.

The ICO also publishes draft guidelines on employee monitoring.

The Commission points in particular to the growing trend towards "working from home" and the problem of productivity monitoring, as workers' expectations of privacy are likely to be higher at home than at work.

The ICO also notes that "keystroke monitoring is classified as behavioral biometric data when a worker is identifiable based on their unique typing pattern and rhythm." The draft is open for consultation until January 11, 2023.

International :

Data transfers to the United States: A major milestone was reached on October 7 with President Biden signing the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities.

This decree aims to enable the implementation of a new data protection framework between the European Union and the United States following the Schrems II ruling of the CJEU, which rendered the Privacy Shield obsolete.

The agreement could be finalized in early 2023, following the opinion of the European Data Protection Board (EDPB) and the adoption of an adequacy decision by the European Commission.

The uncertainty surrounding the agreement concerns the extent of the surveillance powers of the US authorities and the recourse available to European citizens against US measures taken against them.

Let us add that, since it does not have the force of law, this decree can be revoked, which adds to the legal uncertainty.