'Everyone talks about the ethics of AI, but don't forget the law,' says Dr Kuan Hon

"Everyone's talking about ethics in relation to Artificial Intelligence [AI], but don't forget about the law!"

That statement was made by Dr Kuan Hon, director, privacy, security and information law at Fieldfisher, speaking at C omputing's AI & Machine Learning Live event recently.

"The main thing in applying the law to AI is that you can't take a one-size-fits-all approach, you have to look at the precise use case. It's quite different looking at credit-scoring as opposed to predictive policing for instance," Hon added.

She explained that the GDPR applies to some use cases of AI, including profiling of individuals, often for advertising purposes.

"All profiling if it's using personal data is processing and therefore has to comply with the GDPR," said Hon.

However, for the automated decision making (ADM) provisions of GDPR to apply, the decision needs to have a significant effect on the individual.

"Profiling by itself is not the same as profiling that leads to ADM. GDPR regulated automated decisions which have a legal or similarly significant effect on the individual. So targeted advertising, does it have a significant effect? Normally no, as you can choose whether to click or to buy, you're not forced into anything.

"But if you show ads for easy credit to someone in debt, maybe that would be seen to have a significant effect. Then that would be banned under GDPR unless you have member state laws that authorise the decision (with safeguards), or where decision is necessary for entering into or performing a contract (with safeguards) or where you have explicit consent and again you have safeguards, for example the right to challenge the decision."

Another legitimate use of ADM would be where an organisation has an exceptionally high number of job applications.

"There you might argue that you need ADM to go through them all properly," Hon said.

She gave an example of a recent case brought under the GDPR legislation in Finland.

"The regulator in Finland brought an investigation based on one person's complaint. There was an online credit decision service which was considered to use ADM. Part of its decision was made on age - if you're too old then you don't get credit. The regulator ordered that the company give information to the complainant about the logic behind its ADM in its decision-making. As a result it was ordered to change how it assesses credit-worthiness.

"The regulator also found that the firm's notices about ADM didn't explain how it reaches decisions well enough, so that had to change too."

La Liga was recently fined €250,000 under GDPR for using its mobile app to eavesdrop on fans. Dr Hon has a roundup of security fines for GDPR breaches - none in the UK yet - on her LinkedIn.