Crucial to AI Act is that organisations using high-risk AI systems must conduct a comprehensive Fundamental Rights Impact Assessment (FRIA). This assessment proactively identifies and mitigates potential harms to individuals. Notably, the FRIA shares similarities with the Data Protection Impact Assessment (DPIA) mandated under the GDPR. This underscores the intersection of data protection and fundamental rights in the context of AI systems.

What is a Fundamental Rights Impact Assessment (FRIA)?

While the EU AI Act does not expressly define the FRIA, it explains what the objective of the assessment is. The Act also states what the assessment must contain. Recital 96 of the AI Act states that “The aim of the fundamental rights impact assessment is for the deployer to identify the specific risks to the rights of individuals or groups of individuals…”. Moreso, the FRIA helps to “identify measures [to take] in the case of a materialisation of those risks”. Orgnaisations must conduct the FRIA “prior to deploying the high-risk AI system”. They are also required to update it “when ... any of the relevant factors have changed”.

In other words, a FRIA is an evaluation of the risks high risk AI systems present in relation to individuals’ rights. It is also the determination of remediation strategies to manage and mitigate the risks in case they occur.

What should a Fundamental Rights Impact Assessment contain?

According to Article 27(1) of the EU AI Act, the Fundamental Rights Impact Assessment should contain the following information:

Interestingly, Article 27(4) of the EU AI Act states that if organisations meet “any of the obligations laid down in this Article […] through the data protection impact assessment conducted pursuant to Article 35 of [the GDPR]…, the fundamental rights impact assessment referred to in paragraph 1 of this Article shall complement that data protection impact assessment”. Essentially, the fundamental rights impact assessment should complement the data protection impact assessment.

Intersection between Fundamental Rights Impact Assessment and Data Protection Impact Assessment

Article 35 of the GDPR states that a DPIA evaluates the impact of processing operations on the protection of personal data. This is especially where the processing operations make use of new technologies and is likely to result in a high risk to the rights and freedoms of natural persons. Based on this, it appears that the FRIA and DPIA relate to the impact, rights and protection of personal data for high risk AI systems and high risk processing operations respectively.

The table below offers a quick overview of the minimum information requirement for the FRIA and DPIA:

FRIA and DPIA in practice

The minimum requirements for FRIA and DPIA differ. Although in practice, both assessments often include additional information, making them quite similar. For example, Article 35 of the GDPR does not mandate the inclusion of data subject categories in the DPIA. However, organisations logically include such details to identify risks to individuals’ rights and freedoms. Similarly, the EU AI Act does not explicitly require the purpose and proportionality of processes in the FRIA. Yet organisations naturally include them when describing the processes and the necessity of the AI system.

What are the differences?

The major difference between the Fundamental Rights Impact Assessment and the Data Protection Impact Assessment is their focus point. The FRIA focuses on how the AI system directly impacts the rights of individuals. The DPIA focuses on how the processing operation impacts the protection of personal data and the rights of individuals.

The table below provides an overview of the major differences between the FRIA and the DPIA:

Summary

The major takeaway is that the Fundamental Rights and Data Protection Impact Assessment play a complementary role. At least, this is the intent of the EU AI Act according to Article 27(4). Therefore, organisations deploying high risk AI systems processing personal data, will have to conduct both assessments. If your organisation is a provider of high risk AI systems, there is no requirement to conduct the FRIA. However, providers must make information available to deployers of the AI system to make the conduct of the FRIA possible. This is because a substantial part of the assessment relies on the information presented by AI providers.

Given that the EU AI Act is new, organisations may struggle with identifying their role in the AI value chain. Orgnaisations may also struggle to comply with requirements based on that role. At TechGDPR, we assess your processing operations, the information provided by AI providers as well as the envisaged implementation of the AI system to help determine what requirements apply under the EU AI Act. We can help you correctly classify the AI system(s) your organization plans to manufacture or deploy, ensuring early detection of any outright prohibitions. This will prevent your organisation from wasting valuable resources on systems not allowed within the EU.

The post Difference between Fundamental Rights Impact Assessment & Data Protection Impact Assessment appeared first on TechGDPR.

GDPR and POPIA are fairly similar overall, albeit with some differences in terminology, organisation of the respective articles, and greater specificity on the part of GDPR.

Key Definitions in GDPR and POPIA

A key difference between the Information Regulator (POPIA) and the Supervisory Authority (GDPR)

Responsible parties under POPIA must obtain authorisation from the Regulator in order to:

• process:
  • unique identifiers of data subjects for a purpose other than the one specifically intended at collection and with the aim of linking the identifiers with those processed by other responsible parties
  • information on criminal behaviour or on unlawful/objectionable conduct on behalf of third parties
  • information for the purpose of credit reporting
• transfer special personal information or the personal information of children to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information.
• The above provisions may be applied by the Regulator to other types of information processing by law or regulation if such processing carries a particular risk for the legitimate interests of the data subject.

In comparison, the GDPR’s Supervisory Authority only monitors GDPR compliance

What are the Conditions (principles) for processing personal information in GDPR and POPIA?

For both the GDPR and POPIA, accountability is the central principle for processing personal information. Under accountability, both regulations specify that the controller/responsible party demonstrate compliance with the following conditions (principles):

How does the scope of application of POPIA compare with that of the GDPR?

POPIA and GDPR apply when the responsible party is:

• Domiciled (established) in the Republic/EU
• Not domiciled in the Republic, but makes use of automated or non-automated means in the Republic with the exception of forwarding personal information.

This scope is comparable to the EU’s pre-GDPR Directive-1995. However, the GDPR also applies when the data processed belongs to EU citizens, regardless of the headquarters of the controller/processor, and when EU member state law applies due to international agreements.

What are the exceptions to the prohibition on processing special personal information under POPIA and GDPR?

Under both POPIA and GDPR, responsible parties/controllers may process special personal information if processing is:

• Carried out with the consent of a data subject
• Necessary for the establishment, exercise or defence of a right or obligation in law
• Necessary in order to comply with an obligation of international public law
• Forhistorical, statistical or research purposes to the extent that
  • the purpose serves a public interest and the processing is necessary for the purpose concerned
  • it appears to be impossible or would involve a disproportionate effort to ask for consent
  • sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the data subject to a disproportionate extent
  • Information has deliberately been made public by the data subject
  • Regulator has granted an authorisation upon application by the responsible party on the basis of public interest and established safeguards
•  

How does POPIA’s justification of processing compare with the GDPR’s legal bases

Under POPIA and GDPR, processing is justified when:

• Consent is obtained by the data subject or a competent person when the data subject is a child
• processing is:
  • necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party
  • complies with an obligation imposed by law on the responsible party
  • necessary for the proper performance of a public law duty by a public body
  • protects a legitimate interest of the data subject. This might be interpreted to cover the data subject’s vital interest, a term the GDPR uses, but this is unclear.
  • necessary for pursuing the legitimate interests of the responsible party to whom the information is supplied. POPIA additionally covers the legitimate interests of third bodies here.

Rights of data subjects

How does POPIA compare with GDPR in the following circumstances?

Processing for the purpose of direct marketing

In POPIA and GDPR, the processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail is prohibited. Exceptions to this prohibition are when the data subject has consented to the processing or is a customer of the responsible party subject to subjection. In other words, the responsible party has obtained the contact details of the data subject in the context of the sale of a product/service and they are marketing similar products/services.

Additionally, it is essential that the data subject be given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to direct marketing related use of their electronic details. Direct marketing communication must accordingly contain the details and identity of the sender in addition to an address or other contact information to which the recipient may request that such communications cease.

Transfers outside of Republic under POPIA

The responsible party must not transfer personal information to a third party in a foreign country aside from the following exceptions.

Additional Remarks

• The Regulator may exempt any responsible party from compliance with POPIA for the purpose of satisfying public interest or for the benefit of the data subject.
• Automated decision making is not based on the data subject’s consent but rather on a contract or law/code of conduct. Moreover, POPIA safeguards for automated decision making are narrower than in the GDPR. While POPIA provides only a possibility to make representations, GDPR provides a trio of rights related to automated decision making: obtain human intervention, express the point of view, and appeal the decision.
• Responsible parties under POPIA are able to process personal data in the event that the processing is deemed to be in the data subject’s legitimate interest. However, the phrasing of this concept is ambiguous. Consequently, it will likely become a source of abuse. For instance, a clear line of defence for businesses is to argue that they have actually evaluated the data subject’s interest. Similarly, customary assessments of interests done by marketing departments are reflected in cookie banners like this one.

In the long run, as a cultural shift towards more privacy takes place, friction will increase between individuals who want more privacy and organisations who want more data. Accordingly, regulations like POPIA and the GDPR are essential for working through this friction.

This article is for information purposes only, and does not constitute or replace legal advice. Seek professional support for any specific questions you may have.

The post A Comparison of POPIA and GDPR in Key Areas appeared first on TechGDPR.

This calls for some explanation. 

What is PII?

Personally, identifiable information is defined by the US Office of Privacy and Open Government as :

“Information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”

To distinguish an individual is to identify an individual by discerning one person from another and to trace an individual is to process sufficient information to make a determination about a specific aspect of an individual‘s activities or status. Following this definition, name, email address, postal address, phone number, personal ID numbers (e.g., social security, passport, driver’s license, bank account) are considered PII.

Information is designed as linked if any piece of personal information can be used to identify an individual. (e.g.: birth name). Information is categorized as linkable information if, on its own, it may not be sufficient to enable to identify a person, but when combined with another piece of information, it could identify, trace, or locate a person (e.g.: birth date).

Take for instance two datasets containing different PII. When both datasets are accessible to the same person, it becomes possible to identify individuals from combining the datasets or accessing additional information about the subject. This is where information security comes into play. If controls designed at keeping the data sources separate are insufficient, then data is considered linked. When an additional source of information remains external or at a distance -the case with siloed databases within organisations or via a search engine on the internet for publicly accessible information, then that data is thought to be linkable.

What is sensitive PII?

PII is considered as sensitive if the loss, compromission, or disclosure without authorization of this data could result in harm, embarrassment, inconvenience, or unfairness to an individual. For instance, the following information is considered to be sensitive PII: 

• medical
• educational
• financial
• employment information

What is personal data under GDPR?

The GDPR in article 4, defines personal data as follows:

“Personal data” shall mean any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity ».

In this definition we see four main elements: “any information”, “relating to”, “an identified or identifiable” and “natural person”.  

First element: “any information”

The term “any information” contained in the Directive clearly calls for a wide interpretation of the concept. Regarding the nature of the information, this means that both objective and subjective information of a person can be considered as personal data. Regarding the content, personal data covers any sort of information. The definition is also technology neutral, It does not matter how the personal data is stored (e.g.:  alphabetical, numerical, graphical, photographic, acoustic). As an example, images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable.

Second element: “relating to”

In general terms, information can be considered to“relate” to an individual when it is about that particular individual. In order to consider the data related to someone, one of the three flowing features should be present: content, purpose, or result. These three features should be considered as alternative conditions and not as cumulative ones. Accordingly, the same piece of information may relate to different individuals at the same time, depending on what element is present with regard to each one.

Third element: “identified or identifiable”

“Identified” when, within a group of persons, he or she is “distinguished” from all other members of the group. The natural person is “identifiable” when, although the person has not been identified yet, it is possible to do it.  

What information can be an identifier? The GDPR provides a non-exhaustive list of common identifiers that, when used, may allow the identification of the individual to whom the information in question may relate (e.g., name, identification number, location data, online identifier). 

The concept of “directly” or “indirectly” identifiable implies that the extent to which certain identifiers are sufficient to achieve identification is something dependent on context.

Some characteristics are so unique that someone can be identified with no effort. If I mention “our boss”, you’ll know exactly who I am speaking about.

Fourth element: “natural person”

The concept of a natural person refers to Article 6 of the Universal Declaration of Human Rights, according to which “Everyone has the right to recognition everywhere as a person before the law”. The right to the protection of personal data is, in that sense, a universal one that is not restricted to nationals or residents in a certain country. Thus, a natural person deals with the requirement that « personal data » is about « living individuals ». Under the GDPR, the personal data of deceased individuals are not covered but may still indirectly receive some protection in certain cases, in particular when that personal data involves data subjects who are still alive.

What is sensitive data under the GDPR?

The following personal data are considered as special categories of personal data and are subject to specific processing conditions according to the Art. 9 of the GDPR:

• personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
• trade-union membership;
• genetic data, biometric data processed solely to identify a human being;
• health-related data;
• data concerning a person’s sex life or sensitive data. 

What about online identifiers?

Recital 30 of the Regulation clarifies the definition of “online identifier” mentioned

in Article 4: 

“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.” 

Device IDs, IP addresses and Cookies are considered as personal data under GDPR. According to the definition of the PII, they are not PII because there are anonymous and cannot be used on their own to identify, trace, or identify a person. 

What about pseudonymised data?

A personal data is considered as anonymized if it does not relate to an identified or identifiable natural person or if it has been rendered anonymous in such a manner that the data subject is not or no longer identifiable.

Pseudonymisation of data means replacing any identifying characteristics of data with a pseudonym, or, in other words, a value which does not allow the data subject to be directly identified. Are pseudonymised data still considered as personal data?

According to the Article 29 of the Working Party opinion, personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the GDPR. Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.

PII  includes any information that can be used to re-identify anonymous data. Information that is anonymous and cannot be used to trace the identity of an individual is non-PII. Device IDs, cookies and IP addresses are not considered PII for most of the United States. But some states, like California, do classify this data as PII. California classifies aliases and account names as personal information as well.

In a nutshell, PII refers to any information that can be used to distinguish one individual from another. The GDPR definition of personal data is – deliberately – a very broad one. In principle, it covers any information that relates to an identifiable, living individual. 

The post What is the difference between personally identifiable information (PII) and personal data? appeared first on TechGDPR.