Unlocking Global Synergies: OECD's AI Guidelines elevate data governance and privacy to a new level

Unlocking Global Synergies: OECD's AI Guidelines elevate data governance and privacy to a new level

by Gergely Rideg

The OECD covers a broad spectrum of artificial intelligence (AI) topics in the Artificial Intelligence Papers series. This includes topics on the different ways in which AI can be used in education, health and other policy areas. Naturally, to reach the OECD's original objectives e.g., improving the quality of life, promoting economic development in its member countries, there is no doubt that the development of AI must be on the agenda.

It is fascinating to see how much the various international organisations in the field of AI contribute to the work of national legislators, the recommendations, impact assessment studies they publish and the feedbacks they provide on the legal aspects of the usage of AI.  The OECD, as an organisation with useful experience and resources to address transnational issues and to help stimulate a global discourse on these issues, is a particularly good platform for discussions on AI-related developments. It also provides an opportunity to identify practical problems and critique issues on a topic-by-topic basis.  It is interesting, for example, when Keith Stier talks on OECD YouTube platform about national strategies for AI are falling short in investment toward expanding computing capacity.[1] Another interesting topic is gender inequality in programming skills, as highlighted by Nagham ElHoussamy, particularly in African countries.[2]

As part of the 'Artificial Intelligence Papers' series, the document titled 'AI, Data Governance, and Privacy: Synergies and Areas of International Cooperation' was published in June 2024, examining the interplay between these key areas.

By drafting this report, the OECD is trying to build a bridge between its own data protection guidelines and the AI principles. The number of documents that seek to address the complexity of the legal and scientific field with compliance and regulatory elements to be implemented at international level has thus been further expanded. The OECD documents have so far proved useful and exemplary, such as the Recommendation of the Council on Artificial Intelligence, which is one of the guiding documents of this report. All OECD members and some non-OECD members have signed up to the Recommendation. [3]  As Karen Yeung points out, the Recommendation "fits comfortably into the larger family of 'ethical AI' initiatives produced by the multidisciplinary AI expert group appointed by the OECD's Digital Economy Policy Committee in September 2018."[4] Nevertheless, it can also be argued that this document laid the foundations for many subsequent documents with the principles it articulates.

The OECD's description and explanatory notes to the report highlight that AI systems and data protection rules are often dealt with independently by different regulatory communities. In evaluating this statement, it is important to note that this is less true within the European Union, where the data-driven nature of AI systems has been expressed in numerous places and where numerous academic papers, guidelines and recommendations emphasise the fact that the two regulatory areas are intertwined. Chapter 3 of the report itself provides numerous examples of this. The Digital Regulatory Package on the NAIH website is a good illustration of where European regulation is seeking to build on each other and how regulation is now seeking to link and cover key parts of the digital sector.[5] This report focuses on the data protection risks and opportunities arising from recent developments in AI, and seeks to bring together the principles defined in previous data protection guidelines and the OECD principles on AI. [6]

The report is divided into three main chapters: 1. Generative AI: a catalyst for collaboration on AI and privacy; 2. Mapping existing OECD principles on privacy and on AI: key policy considerations; 3. National and regional developments on AI and privacy topics.

A major strength of the report is the way it addresses the technical challenges currently facing science in the field of generative AI. One such example is the right of natural persons to request the correction, modification, or deletion of their personal data when it is used as a learning database for large language models. As the report points out, it is particularly difficult to comply with this implementation and data protection provisions in this way when the machine learning model may have been developed on unstructured information curated from the internet. The problem at hand is a fundamental one of data subject rights under the GDPR, and dealing with the sheer volume of this problem is a major challenge for the AI developer.

Many people don't consider their data to be sensitive enough to recognize the potential for a catastrophic breach, but that's why it's important to provide an example to illustrate the true nature of the problem and the risk behind.

A similar breach occurred during the Cambridge Analytica Scandal, where the personal data of millions of Facebook users was collected and used without their knowledge.[7] Although this case has been covered in the press as one of the biggest and essentially privacy scandals in Facebook's history, it is worth emphasising that we are talking about a breach involving the use of AI. This case, widely reported as one of Facebook's biggest privacy scandals, highlights the misuse of AI systems. AI was not only used to automate processes and maintain data hygiene but also to find patterns in massive voter datasets. The infringement stems from two key factors: the unauthorized collection of vast data and the AI-driven transformation of this raw, disordered information into an organized, manageable data asset.[8]

Beyond the dichotomy of the two topics mentioned above, the document also highlights deeper international regulatory phenomena. It points out that regulation is characterised by a kind of natural irregularity. Indeed, the different AI and data protection policy communities are still largely reacting independently to the challenges of AI and data protection. This and the lack of consensus on language and terminology can clearly lead to minor misunderstandings. We agree with the OECD's finding that it has helped to promote the standardisation of these terminologies. In fact, the OECD's subject matter reports were also taken into account when drafting the European AI legislation.

The comparison in Table 3 in Chapter 2 is particularly meaningful and relevant, because it highlights critical differences in how key concepts are understood and applied by the AI and privacy policy communities. It is essential that the two areas (AI and privacy policies) are treated in the same way, or if treated differently, that the distinctions in these key concepts are explicitly acknowledged. For example, the term 'transparency' is interpreted quite differently by both communities, and this difference must be clarified to foster better cooperation and mutual understanding. On the one hand „for AI policy communities, transparency, explainability and interpretability have different meanings but overall refer to the good practice of AI actors providing accessible information to users to foster a general understanding of AI systems, making stakeholders aware of their interactions with AI systems”.[9]

On the other hand „for privacy policy communities, transparency is a positive legal obligation to inform individuals, from whom personal data are collected, no later than at the time of data collection, on the use purposes for which consent is requested and the subsequent use is then limited to the fulfilment of those purposes.”[10] In both cases, it is about giving the data subject additional information and allowing them not only to be forced to suffer what is happening, but also to understand what is happening with their data or in the service they want. In the case of AI, it is explicitly about understanding how the process works. Ultimately, in both cases, the data subject is put in a position to make a responsible decision about his or her own circumstances, so that he or she can exercise the right or decide not to have the data processing, not to use the AI service.

The report is a useful interpretative tool for the development of AI systems, as the example above shows that it helps to highlight the points of intersection of regulatory areas and provides concrete examples of divergences. The report is also an excellent reference collection of relevant international documents that have been produced on the subject and that contain recommendations and recommendations in one form or another on the various topics.

The third chapter presents a non-exhaustive but interesting collection of regulatory achievements in some OECD partner countries. According to the document, this list illustrates the diversity and complementarity of the measures already adopted by the various authorities. The international range includes examples from Canada, Spain and Singapore.

We learn that in December 2023, Canadian privacy regulators launched principles for responsible development and use of generative AI, and we can also read that in France, the CNIL created an AI department in January 2023 to strengthen its expertise on these systems and its understanding of the risks to privacy while anticipating the implementation of the EU AI Act.

The text also provides information on interesting and current legal cases, such as the investigation initiated by the Brazilian PEA on July 27, 2023, to assess how ChatGPT complies with the Lei Geral de Proteção de Dados (LGPD) after receiving a complaint and following media reports suggesting that the service, as provided, does not comply with the country’s data protection law. As can be seen from this example, the document does not contain specific detailed case studies, but rather a collection of help files from which the reader can then look for the parts he or she finds interesting.

Overall, the report brings us one step closer to an international minimum set of requirements that will help to create a sustainable AI application that will contribute to improving the quality of human life. This document seeks to put regulation into context, clarifying basic concepts and linking the regulation of the raw material of AI systems with the regulation of the "machine".

 

[1] AI compute and climate change: what policymakers need to know and what is happening at the OECD - https://www.youtube.com/watch?v=KFL8jo2XKt0

[2] Empowering African women through AI - https://www.youtube.com/watch?v=u7t1q0TtgGA

[3] Recommendation of the Council on Artificial Intelligence - https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0449#monitoring

[4] YEUNG, Karen. Recommendation of the council on artificial intelligence (OECD). International legal materials, 2020, 59.1: 27-34.

[5] Uniós digitális jogszabály-csomag - https://www.naih.hu/unios-digitalis-jogszabaly-csomag

[6] OECD Artificial Intelligence Papers - https://www.oecd-ilibrary.org/science-and-technology/ai-data-governance-and-privacy_2476b1a4-en;jsessionid=ngkqunJAUnj1kpnrFr2DrK1BJbKUxzY0Dt4XBgpX.ip-10-240-5-38

[7] Cambridge Analytica and Facebook: The Scandal and the Fallout So Far - https://www.nytimes.com/2018/04/04/us/politics/cambridge-analytica-scandal-fallout.html (downloaded: 07.12. 2024.)

[8] POLITICO AI: Decoded: How Cambridge Analytica used AI - https://www.politico.eu/newsletter/ai-decoded/politico-ai-decoded-how-cambridge-analytica-used-ai-no-google-didnt-call-for-a-ban-on-face-recognition-restricting-ai-exports/ (downloaded: 07.12. 2024.)

[9] OECD Artificial Intelligence Papers, 28.

[10] Ibid.