AI and data protection

Challenges and solutions in the context of the EU AI Act in connection with the risk classes.

The rapid development and increasing spread of artificial intelligence (AI) brings with it many opportunities as well as considerable challenges in the area of data protection. The EU-AI-Act, a groundbreaking regulation of the European Union, categorizes AI applications into different risk classes and thus lays the foundation for a differentiated approach to the associated data protection risks. Find out more about the connection between AI and data protection here.

This article highlights the specific data protection problems in each risk class and presents detailed solutions.

Minimal risk

Definition:
AI applications with minimal risk are not subject to specific regulatory obligations, but must respect basic data protection rights.

Examples: Simple chatbots, AI-based games, basic recommendation systems

Problems:

• Unintentional processing of personal data
• Lack of awareness of potential data protection risks
• Lack of transparency regarding the use of data

Solution approaches:

1. Development of clear guidelines:
   Create comprehensive privacy policies specifically for AI applications with minimal risk. These should include best practices for data minimization, purpose limitation and storage limitation.
2. Training programs:
   Implement regular training for developers and product managers to raise awareness of data protection risks. This training should include practical examples and case studies.
3. Privacy by Design:
   Integrate data protection considerations into the development process right from the start. This can be achieved by using data protection checklists and carrying out data protection impact assessments (DPIAs), even for applications with minimal risk.
4. Regular audits:
   Conduct periodic reviews of data processing practices to ensure that there is no unintended expansion of data use.

Limited risk

Definition:
AI applications with limited risk are subject to specific transparency and information obligations, but are not restricted in their use.

Examples: Chatbots with extended functionality, personalized recommendation systems, AI-supported search engines

Problems:

• Complexity of obtaining informed consent
• Difficulties in explaining the use of data in an understandable way
• Potential violation of privacy through excessive personalization

Solution approaches:

1. Improved transparency mechanisms:
   Develop innovative ways to communicate complex data processing in an understandable way. This could include interactive explanatory videos, infographics or step-by-step disclosures.
2. Granular consent options:
   Implement detailed consent options that allow users to precisely control which data may be used for which purposes. Use user-friendly interfaces such as sliders or checkboxes.
3. Data protection dashboards:
   Provide users with a central dashboard where they can view and customize their privacy settings. This dashboard should also contain information on how their data influences AI decisions.
4. Regular transparency reports:
   Publish detailed reports on data use and processing on a regular basis. These reports should be understandable for both laypersons and experts and contain concrete examples of the effects of data processing.

High risk

Definition:
High-risk AI systems are subject to strict regulatory requirements and must fulfill comprehensive data protection, transparency and accountability obligations.

Examples: AI in medical diagnostics, automated decision-making systems in the financial sector, AI-supported monitoring systems

Problems:

• Complexity of algorithms makes traceability and accountability difficult
• Increased risk of bias and discrimination
• Challenges in ensuring data integrity and security

Solution approaches:

1. Implementation of robust governance structures:
   Establish a dedicated AI ethics committee to oversee the development and use of high-risk AI systems. This committee should be interdisciplinary and conduct regular audits.
2. Advanced Explainable AI (XAI) techniques:
   Invest in the development and application of advanced XAI methods that enable the decision-making processes of AI to be made comprehensible. This could include LIME (Local Interpretable Model-agnostic Explanations) or SHAP (SHapley Additive exPlanations) techniques.
3. Comprehensive bias detection and mitigation strategies:
   Implement automated tools to detect bias in training data and model outputs. Develop strategies to actively reduce bias, e.g. by diversifying training data sets or adapting the model architecture.
4. Extended data security measures:
   Use advanced encryption techniques such as homomorphic encryption, which allows computations to be performed on encrypted data. Implement multi-factor authentication and strict access controls for all systems handling sensitive data.
5. Continuous monitoring and adaptation:
   Establish a real-time monitoring system that continuously monitors the performance and outputs of the AI systems. Implement automatic alarm systems that react immediately in the event of deviations or potential data protection breaches.

Unacceptable risk

Definition:
AI applications with unacceptable risk pose a significant threat to security and fundamental rights and are prohibited.

Examples: AI systems for the manipulation of human behavior, social scoring systems

Problems:

• Fundamental violation of basic rights and human dignity
• Massive data breaches and potential for abuse
• Undermining democratic principles and social values

Solution approaches:

1. Strict regulatory enforcement:
   Support the development and implementation of robust enforcement mechanisms at national and EU level. This should include the creation of specialized task forces and the development of advanced detection technologies for prohibited AI systems.
2. Ethical guidelines and self-regulation:
   Promote the development and adoption of strict ethical guidelines in AI research and development. Establish self-regulatory mechanisms within the industry, including peer review processes and voluntary ethics audits.
3. Public awareness and education:
   Launch comprehensive education campaigns to raise public awareness of the risks of AI systems with unacceptable risk. Integrate AI ethics and data protection into educational curricula at all levels.
4. International cooperation:
   Promote global cooperation to combat AI systems with unacceptable risk. This could include the development of international agreements and cooperation mechanisms for information sharing and joint enforcement.

Conclusion:
The challenges of data protection in AI applications are diverse and complex, but vary greatly depending on the risk class.

While systems with minimal and limited risk mainly require transparency and awareness-raising measures, high-risk systems require comprehensive technical and organizational solutions.

Strict bans and proactive preventive measures are essential for systems with an unacceptable risk.

The solutions presented offer a framework for dealing responsibly with AI and data protection. However, their successful implementation requires close cooperation between technology developers, regulatory authorities and civil society. Only through a holistic approach that reconciles technical innovation with ethical principles and legal frameworks can we exploit the full potential of AI without jeopardizing fundamental data protection rights.

Please note that the content of the EU-AI-ACT may change. Appropriate precautions when implementing AI systems must therefore always be adapted to the current status of the ACT.

We will be happy to advise you.