European netizens spent yesterday clicking through privacy policy updates for their various subscribed platforms and services. That’s because the European Union’s new General Data Protection Regulation (GDPR) — billed as the world’s toughest data use policy — came into effect today. The law also contains a controversial “right to explanation” provision that may impact AI research and deployment.

The GDPR aims to “harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy,” by introducing “the most important change in data privacy regulation in 20 years.”

In a European Commission statement, Andrus Ansip, Vice-President for the Digital Single Market, explained: ”Our new data protection rules were agreed for a reason: Two thirds of Europeans are concerned about the way their data was being handled, feeling they have no control over information they give online.” Ansip’s words echo sentiments expressed across the Atlantic in the wake of the Facebook / Cambridge Analytica data abuse scandal.

As previously reported in Synced:

The GDPR applies to all companies processing the personal data of EU citizens regardless of company location.

Breaching the GDPR will carry stiff penalties, with companies facing fines of up to 4 percent of their global turnover. The New York Times estimates tech giants like Facebook risk penalties greater than US$1 billion.

Companies will be required to procure customer consent in clear and comprehensible language, allow easy user withdrawal from data collection, and notify local EU Data Processing Authorities of data usage. EU citizens will be entitled to have their data erased or transferred to another company, and must be notified immediately if their data is misused.

Keras database creator and Google deep learning researcher François Chollet tweeted today that “For years, many companies have treated your personal data as a resource to be opportunistically exploited — often with dire side effects. Having regulations that assert some well-scoped rights of individuals over the use of their data is an unmitigated good thing.”

The GDPR is a complicated piece of legislation covering 88 pages with a word count of 56,000, and many companies were unable to meet its requirements before the deadline. One such case is Tronc, the publishing company that owns the Los Angeles Times, Chicago Tribune, New York Daily News, etc. Tronic today temporarily shut down its EU websites, posting an explanation that read: “Unfortunately, our website is currently unavailable in most European countries. We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market.”

For data-hungry AI companies — and startups and researchers specifically — the GDPR may prove a nightmare. Its Section 4, article 22 requires a “right to explanation” for users on decisions made by automated or AI algorithm systems. Any European data subject has the right to opt out of a decision made by automated processing or AI that produces legal effects on them — for example the refusal of an online credit application or e-recruiting practices.

Some believe this provision will hurt AI research and may even roll back AI progress. AI algorithms can produce results from within a “black box,” in other words using a process that scientists themselves cannot explain. As University of Washington Professor and author of the seminal AI introduction The Master Algorithm Pedro Domingos points out in his Medium blog:

“There’s often a tradeoff between accuracy and explainability. I would rather be diagnosed by an algorithm that is 90 percent accurate and gives no explanations than by one that is 80 percent accurate and does. Different people will make different choices in different situations. Why should the government impose the same one on everyone?”

Some Oxford researchers doubt whether the GDPR can actually be enforced. In a January 2017 paper, Data Ethics Researcher Sandra Wachter and others argue that the “GDPR lacks precise language as well as explicit and well-defined rights and safeguards against automated decision-making, and therefore runs the risk of being toothless.”

What to expect next? We’ll have to wait and see. Meanwhile the European Commission is spending €1.7 million to train data protection professionals, and another €2 million to support national data protection authorities. There will be a stakeholders discussion on the GDPR next year, and the EC will produce an evaluation and review in 2020.

* * *

Journalist: Tony Peng|Editor: Michael Sarazen

* * *

Subscribe here to get insightful tech news, reviews and analysis!