Legislators need to be leading the debate around AI not playing catchup, says Lloyds Bank analyst

As technology advances exponentially legislators need to find a way to do the same, argues panel

We are reaching a crunch point where those who make the rules governing how personal and sensitive data may be used are going to fall further and further behind technology.

That's the opinion of Kapil Dhar, lead digital business architect and analyst at Lloyds Banking Group, as expressed during a panel debate at the Connected World Summit in London today. The only fair and sustainable way to decide on permissible uses of sensitive information such as health data and financial records is through standards-based regulation, and yet the regulators are flat-footed in the face of technologies that "will allow us to do in two years what now takes us 10".

If regulators are playing catchup now, they will always be playing catchup - Kapil Dhar, Lloyds

"Regulators need to evolve as to how far ahead they think," said Dhar. "If they are playing catchup now, they will always be playing catchup."

GDPR, the first major piece of data protection legislation to be enacted since the dawn of the internet was 20 years in the making. New legislation needs to be much more fleet-of-foot, he argued.

"AI and IoT, these technologies are developing at a much faster rate. Regulation needs to be more technology agnostic, more principles-based, and more concerned with citizen and individuals, considering their liberty, their identity and their privacy. Legislation needs to lead the way instead of playing catchup," Dhar said.

It's not only the rate of change of the technology, but the possibility of cross-matching ever more datasets derived from devices that can be tied to an individual, such as sensors picking up and tracking a phone as it moves through a shopping mall, and cross matching that data with the individual's purchases. Even relatively anonymous data can become highly personalised when combined with other datasets.

"This is the real challenge," said Christian Schmitz, MD of technology vendor exceet Secure Solutions whose customers include medical device manufacturers. "Companies collecting all this data and deciding on the appropriate protection level. We need to insist on the highest possible protection level."

Key to this is insisting on anonimisation on collection as the default, with data only processed with consent, the panel agreed. However, this raises difficulties as to the use of datasets in research, where anonymised datasets may not be sufficiently granular, particularly with reference to individualised treatments that are currently impossible to imagine, said SVP digital innovation at telecoms firm Orange, France, Patrice Slupowski.

"Even without my consent, it may be argued that consent should be granted in the absence of having to explain the full purpose," he said.

The nature of research means that the ultimate usage may not be known. Currently the rules around consent in this area are not sufficiently clear, Slupowski added. "If we want to keep a large volume of data on a particular individual for their own benefit then we will be facing a challenge."

These issues are not new, of course, but the volume of data derived from IoT devices combined with the rise of machine learning techniques and big data analytics that promise to bring a revolution in what can be achieved through its processing, it's clear that legislators need to do more than merely ensuring they are not just standing still. The typical 20 year gap between major regulatory changes may need to be more like four years.