The right to human review of decisions made fully by computers should not be removed ‘while AI is still in its infancy’, the professional body for IT has warned. A government consultation on personal data suggests human appeal against some automated decisions by AI (which might include recruitment or loan eligibility) could be unnecessary. But because AI doesn’t always involve personal data to make decisions about us, true protection of our right to revisit must consider wider regulation of AI, according to BCS, The Chartered Institute for IT.
The consultation Data: A New Direction, launched by the Department for Digital, Culture, Media and Sport (DCMS), is looking to update the UK’s version of the GDPR. DCMS is seeking further evidence before forming firm proposals on reform of the UK’s existing data legislation, including considering the removal of Article 22 of the GDPR. Article 22 focuses specifically on the right to review fully automated decisions.
Dr Sam De Silva, Chair of BCS’ Law Specialist Group and a partner at law firm CMS, explained: “Article 22 is not an easy provision to interpret and there is danger in interpreting it in isolation like many have done. “We still do need clarity on the rights someone has in the scenario where there is fully automated decision making which could have significant impact on that individual.
“We would also welcome clarity on whether Article 22(1) should be interpreted as a blanket prohibition of all automated data processing that fits the criteria or a more limited right to challenge a decision resulting from such processing. As the professional body for IT, BCS is not convinced that either retaining Article 22 in its current form or removing it achieves such clarity. We also need to consider that protection of human review of fully automated decisions is currently in a piece of legislation dealing with personal data. If no personal data is involved the protection does not apply, but the decision could still have a life-changing impact on us.”
“For example, say an algorithm is created deciding whether you should get a vaccine. The data you need to enter into the system is likely to be DOB, ethnicity, and other things, but not name or anything which could identify you as the person. Based on the input, the decision could be that you’re not eligible for a vaccine. But any protections in the GDPR would not apply as there is no personal data. So, if we think the protection is important enough it should not go into the GDPR. It begs the question – do we need to regulate AI generally – and not through the “back door” via GDPR?
“It‘s welcome that government is consulting carefully before making any changes to people’s right to appeal decisions about them by algorithms and automated systems – but the technology is still in its infancy.”
BCS, the Chartered Institute for IT supports the consultation and will be gathering views from across its membership. The consultation says that “automated decision making is likely to increase greatly in many industries in the coming years. The need to maintain a capability to provide human review may, in future, not be practicable or proportionate, and it is important to assess when this safeguard is needed and how it works in practice.”
It acknowledges that there may be “legitimate need for certain ‘high risk’ AI-derived decisions to require a human review, even if this restricts the scope of use of such systems or makes them slower.”
DCMS said it is seeking further evidence as part of the consultation before forming firm proposals on Article 22 and the right to request a review of fully automated decisions.