Artificial intelligence in line with law and social issues.

Legal Watch No. 34 – April 2021

Artificial intelligence in line with law and social issuesArtificial intelligence and security are today linked in political and legal discourse. But How far can – or should – the adaptation of our regulatory framework to challenges such as terrorism incorporate the latest technological developments?

Controversies abound at the beginning of spring, with the adoption of the global surveillance law and the new measures of the anti-terrorism law.

The limits of widespread data collection

In the current context, we note the influence of several actors including the Council of State, civil liberties associations and the Court of Justice of the European Union.

The latter issued two judgments on October 6, 2020, which concern France with regard to its intelligence law and its practices of retention of connection data.

The Court of Justice has in fact recalled the non-compliance with fundamental rights of the widespread and indiscriminate collection of communications data from operatorsThe Court specifies the exceptional nature that such collection must have, for national security objectives and for a strictly limited duration.

Referred to on the basis of these rulings by associations, the Council of State carried out in its decision of April 21 a delicate exercise of conciliation between European Union law and the national objectives of the fight against terrorism and crime, asking the government to make some adjustments to its policy of generalized surveillance (periodic re-examination of the threat justifying the collection of data, binding and no longer consultative effect of the opinions of the National Commission for the Control of Intelligence Techniques – CNCTR).

These conclusions are strongly criticized by the associations, which highlight the inadequacy of the required adjustments and the very broad interpretation by the Council of State of the notion of "national security" beyond the fight against terrorism, to include for example economic espionage, drug trafficking or the organization of undeclared demonstrations, in violation of European law.

La Quadrature du Net and other associations also referred the question of the legality of the global surveillance law to the Constitutional Council on 29 April, also on the basis of the disproportionate nature of many of the surveillance measures provided for in the law. 

The algorithms of the anti-terrorism law

The discussions sparked by the bill on the prevention of acts of terrorism and intelligence are superimposed on this debate and revive questions of proportionality of the measures envisaged.

We are referring in particular to two aspects of the bill, which in an initially published version, intended to perpetuate the use of algorithms to monitor, in particular, the connections of Internet users based on the websites visited, and to collect widespread satellite communication data.

The version of the draft published on April 28 in the National Assembly no longer contains these provisions, which should be adapted – in order to take into account the “adjustments” requested by the Council of State – in a corrective letter expected during the month of May.

Note that the CNIL's opinion of April 8 on this project has not been published, nor that of the National Commission for the Control of Intelligence Techniques.

Clearer future regulation of AI at European level?

Alongside these national developments, The European Commission published a proposal for regulating artificial intelligence on April 21., which some already consider too restrictive while others deplore its limitations.

The Commission plans to ban the use of AI that violates EU values and human rights, particularly "unacceptable" uses intended to influence behavior or target individual vulnerabilities through predictive algorithms.

The proposal, for example, prohibits "social scoring." as seen in China with the development of applications allowing the State to assess the social credit of each individual. Risk analysis (especially treatments identified as "high risk") will have to be carried out by developers of projects using AI.

Violations of these principles can, as in the GDPR, give rise to fines of up to 4% of turnover.

The restrictive measures provided for in the proposal do not, however, apply to governments and public authorities in the European Union that use AI to protect public security.

Some, including the European Data Protection Supervisor, deplore the absence of a moratorium on current issues such as the real-time use of biometric surveillance cameras by the State.

Although the proposal restricts such use, it remains possible, particularly in the context of terrorist attacks or the search for criminals.

Others point out the burden of responsibility transferred from the State to private developers, who will have to carry out their own compliance analysis of the systems they propose, for example in terms of predictive policing, the use of AI in asylum procedures or worker surveillance.

These various developments highlight the sensitivity of a debate which must take into consideration both questions of national security, the preserve of States, and aspects of economic order and fundamental rights specified by a European legal order which is imposed on them.

The European proposal provides for the creation of a European AI Committee, composed of the various EU Member States, the European Commission and the European Data Protection Supervisor. This Committee will be responsible for deciding on unauthorized or high-risk developments in AI.

The beginning of a solution?

And also

France:

ANSSI continues its work to raise awareness of security risks, with a guide to securing websites.

The guide specifies the parameters to be specified when developing and integrating a website or web application, in order to guarantee its security.

The CNIL publishes a list of questions and answers concerning saliva tests in schools, used in the context of Covid-19 screening.

In its eighth Innovation and Foresight notebook, the CNIL develops the reasons that push an individual to file a complaint for non-respect of his rightsShe mentions four main reasons:

• “When individuals’ reputations are threatened by information available online (nearly a third of complaints);
• When they are victims of intrusion into their private sphere by commercial prospecting (around 20% of complaints);
• In case of surveillance at their workplace (10 to 15 % complaints); and finally
• When they are registered in national files (bank accidents, criminal records).

Europe:

European Union: The health passport project is the subject of debate at the European level.

Following the joint opinion of the Committee and the European Data Protection Supervisor, it is now the turn of the European Parliament to consider the issue.

It was thus highlighted,

• The need to integrate “Privacy by design” into the data processing system,
• The guarantee of absence of centralized database,
• A clear identification of the data controllers,
• Information of the persons concerned and
• A limited data retention period.

Council of Europe: On 28 April, the Committee of Ministers adopted a Declaration on the protection of children's privacy in the digital environment.

This declaration aims to strengthen the protection of children in what represents an increasing part of their lives, whether at school, with their friends or in the context of cultural or sporting activities, with a current particular impact due to the Covid-19 pandemic (online activities leading to more risks, including that of digital exclusion).

The Netherlands : The Limburg District Court considered the multiple right of access procedures initiated by an individual with the aim of obtaining damages to the data controllers who were slow to respond.

Always at the The Netherlands, the Amsterdam District Court ordered Uber to reinstate six drivers dismissed based on automated decisionsThe company was ordered to pay €5,000 in penalty payments per day of delay and more than €100,000 in damages.

According to information published in mid-April, the operator Huawei allegedly gained access to the Dutch telecommunications network KPN, allowing access to the communications of customers including many of the country's political decision-makers.

Spain: The Ministry of Defence has been warned by the data protection authority.

The reason for this is the recording by cameras installed around the ministry's offices – without any proven necessity – of parking space images belonging to neighboring houses (thanks to the GDPRhub wiki for its inventory of decisions). 

Germany : The Hamburg state supervisory authority announced on April 13 that it was launching a administrative proceedings against Facebook regarding WhatsApp's policy change regarding the collection of personal data.

The validity of users' consent is being questioned, which justifies a three-month freeze on data collection by the supervisory authority, while the investigation is ongoing.

International :

UNITED STATES : Facial recognition is developing in banks, which use smart cameras to identify their customers, employees and even the “homeless” who may be near the distributors. 

Although the use of artificial intelligence in the context of video surveillance is not regulated in a similar manner in all American states, the FTC (Federal Trade Commission) remains competent to verify the conditions of use of this technology, and to sanction its use for discriminatory purposes.

Anne Christine Lacoste

Partner at Olivier Weber Avocat, Anne Christine Lacoste is a lawyer specializing in data law; she was Head of International Relations at the European Data Protection Supervisor and worked on the implementation of the GDPR in the European Union.