Privacy Commissioner Carly Kind joined data protection authorities from Korea, Ireland, France and the UK in signing a joint declaration to reaffirm commitment to establishing data governance that fosters innovative and privacy-protective AI.
1. Artificial intelligence (AI) presents immense opportunities for the benefit of humanity, innovation in science, the economy and society as a whole. AI also poses significant risks with respect to the protection of fundamental rights such as data protection and privacy, but it also poses risks of discrimination, misinformation and hallucination that are often caused by the inappropriate processing of data.
2. We recognise the need to fully cultivate public trust and harness the transformative benefits AI could bring. We recall that AI should be developed and deployed in accordance with data protection and privacy rules and other norms. This includes embedding privacy-by-design principles into AI systems from the initial planning stage and implementing robust internal data governance frameworks. These frameworks should incorporate technical and procedural safeguards for effective management and mitigation of risks throughout the entire lifecycle of an AI system.
3. Moreover, we recognise that in the current environment surrounding AI development and deployment, data processing has become exceedingly complex. Indeed:
- It is developed and deployed across many different sectors, including health, public services, public security, human resources and education.
- It involves a great number of stakeholders scattered all over the world and complex value chains, including dataset creators, model providers, dataset and model hosting platforms, integrators, annotators, system deployers and end users.
- It operates at large scale with AI technologies necessitating vast amounts of data that are at the core of these systems.
- It implies complex data processing that poses significant challenges for its control and increases the needs for transparency to foster the protection of privacy and other fundamental rights.
- It evolves at a very fast pace with major scientific and technological breakthroughs being recorded on a daily basis.
4. Citizens’ and businesses’ need for answers and legal certainty is therefore increasingly pressing in order to enable the development of AI within trustworthy data governance frameworks. At the same time, the application of rules should provide a sufficient degree of flexibility for various innovative efforts to take place consistently with the protection of privacy and personal data. We recognise therefore the importance of supporting players in the AI ecosystem in their efforts to comply with data protection and privacy rules and help them reconcile innovation with respect for individuals’ rights.
Highlighting data protection authorities’ leading role in shaping data governance to address AI’s evolving challenges, we commit to the following:
5. To foster our shared understanding of lawful grounds for processing data in the context of AI training in our respective jurisdictions. Clear standards and requirements should be developed to ensure that AI training data is processed lawfully, whether based on consent, contractual necessity, legitimate interest or other legal justifications. In doing so, attention should be paid to various relevant factors, including the specific purposes of AI development, the characteristics of the requisite data, the reasonable expectation of data subjects, and associated risk mitigation strategies.
6. To exchange information and establish a shared understanding of proportionate safety measures based on rigorous scientific and evidence-based assessments and tailored to diversity of use cases. The relevance of these measures should be regularly updated to keep pace with evolving AI data processing technologies and practices.
7. To continuously monitor both the technical and societal implications of AI and to leverage the expertise and experience of data protection authorities and other relevant entities, including NGOs, public authorities, academia and businesses, in AI-related policy matters when possible.
8. To reduce legal uncertainties and secure space for innovation where data processing is essential for the development and deployment of AI. This may include institutional measures, such as regulatory sandboxes, as well as tools for sharing best practices. These measures and tools should be grounded in public trust and be consistent with principles of privacy and data protection.
9. To strengthen our interactions with relevant authorities, including those in charge of competition, consumer protection and intellectual property, to facilitate consistency and foster synergies between different applicable regulatory frameworks to AI systems, tools and applications. Dialogues involving diverse players in the AI ecosystem should also be encouraged.
Signed by:
- Haksoo Ko, Chairperson, Personal Information Protection Commission, Korea
- Marie-Laure Denis, President, Commission Nationale de l'Informatique et des Libertés, France
- John Edwards, Commissioner, Information Commissioner’s Office, United Kingdom
- Dale Sunderland, Data Protection Commissioner, Ireland
- Carly Kind, Privacy Commissioner, Office of the Australian Information Commissioner, Australia
