The UK privacy watchdog has hired its first academic expert in the field of artificial intelligence (AI) and tasked him with figuring out how to audit ‘black box’ AI algorithms.
Despite Brexit, the UK has moved ahead with the EU’s General Data Protection Regulation (GDPR), which came into force on 25 May via the GDPR-compliant UK Data Protection Act 2018.
Requirements under GDPR throw a spanner in the works for how EU privacy watchdogs like the UK’s Information Commissioner’s Office investigate and then enforce potential GDPR violations by organizations that use algorithms to make decisions about customers, for example, when profiling them for insurance or criminal punishments.
One challenge is that the best AI algorithms can create paths of action independently of code written by programmers. Instead relying human code, the algorithms are informed by multiple exposures to vast amounts of data.
The self-improving algorithms may make the right decisions more often, but when they make bad decisions influenced by biased training data, the programmers who developed them may not necessarily be able to explain why and how the program came to the conclusion it did.
Under GDPR, that creates a problem for both organizations and regulators. GDPR requires organizations using systems that make decisions without human involvement, in particular when profiling a person, are able to show to that person how a decision was made. The watchdog expects to be able to by check this by assessing the organization’s privacy impact assessment.
But as the ICO’s new resident AI expert, Dr Reuben Binns, argued in a recent paper, regulators might not be able to do carry out this part of an investigation because the audit process wrongly assumes the organization being probed can actually supply all the necessary information.
This would prevent the regulator from assessing whether data had been used to discriminate against a person.
Dr Binns, a researcher with the University of Oxford’s Computer Science division and expert on 'algorithmic decision-making', has a two-year fellowship with the ICO to research a “framework for auditing algorithms” and conducting “further in-depth research activities in AI and machine learning”.
“I am honoured to be joining the ICO as its first Postdoctoral Research Fellow. AI is fast moving and increasingly important in relation to personal data, and I’m looking forward to developing and enhancing expertise at the ICO in this area,” said Dr Binns.
Under GPDR, the ICO has the power to fine an organization £17million, equivalent to 20m euros, or 4 percent of the organization’s global turnover.
Brexit has no current impact on the UK's adoption of GDPR.
"Its provisions are included in the Data Protection Act 2018. The Act also includes measures related to wider data protection reforms in areas not covered by the GDPR, such as law enforcement and security. The UK’s decision to leave the EU will not affect the commencement of the GDPR," the ICO notes.