Skip main navigation

New offer! Get 30% off one whole year of Unlimited learning. Subscribe for just £249.99 £174.99. New subscribers only. T&Cs apply

Find out more

European Union – General Data Protection Regulation

The GDPR is the most important data regulation in the world. This article introduces some key articles and concepts of the GDPR.

The General Data Protection Regulation (GDPR) plays a pivotal role in AI governance, ensuring that personal data is protected and individual rights are upheld.

Background of GDPR

  • GDPR was introduced by the EU in May 2018 to safeguard the privacy and personal data of EU citizens.
  • It is applicable to all organizations that process the data of EU residents, irrespective of the company’s location.
  • GDPR is globally recognized as one of the strictest privacy and data security regulations.

Critical Concepts and Articles of GDPR

  1. Right to Erasure (Art. 17) A crucial provision in GDPR is the “right to erasure,” often termed as the “right to be forgotten.” This provision permits individuals to ask for their personal data to be removed from databases of entities that have stored or processed their information. This right becomes valid in certain situations, like when the collected data is not needed anymore or when the concerned person revokes their data processing consent. The essence of the “right to erasure” in GDPR is to grant individuals autonomy over their personal data, ensuring it’s not misused for unintended or non-consensual purposes. Entities are obligated under GDPR to address deletion requests promptly and must provide a reason if they can’t fulfill such requests. Additionally, when deleting data, it’s imperative that it’s done securely and permanently. Notably, there are scenarios where this right might not be applicable, especially when data processing is legally or contractually mandated.
  2. Right to Object (Art. 21) GDPR provides individuals with a significant “right to object.” This right entitles individuals to contest the use of their personal data under specific conditions. Especially when data is utilized for direct advertising or based on the entity’s genuine benefits. Should someone contest the use of their data, entities must cease its processing, unless they can validate a valid cause for its continuation. Such causes could be due to legal requirements, matters of public concern, or in relation to legal actions. It’s vital to highlight that the “right to object” isn’t unrestricted. In some cases, entities might have grounds to proceed with data processing despite challenges. Yet, they must rigorously evaluate such challenges and establish the genuine need for data processing.
  3. Right Not to be Subject to a Decision Based Solely on Automated Processing (Art. 22) A standout provision in GDPR is Article 22, which pertains to the right against decisions made exclusively by automated means, especially if these decisions carry legal ramifications or notably impact the individual. This article principally bans decisions derived purely from automated procedures, regardless of the individual’s engagement level in data processing. If decisions made via automated processes significantly influence someone, they have the entitlement to be notified (as per Articles 13 and 14) and to request data access (as per Article 15). Nevertheless, there are exemptions. For example, if a decision, such as loan eligibility, is contract-bound, automated decisions could be permissible. Similarly, if the decision is rooted in the clear assent of the person, then this right may not be exercised. For entities, recognizing and adhering to this right is paramount. They should transparently communicate decision-making mechanisms and allow individuals to contest them. It’s equally vital to have measures that guard against prejudices and inaccuracies in automated decision-making processes.

Extraterritorial Effect of GDPR

  • GDPR impacts organizations outside the EU that process data of EU residents.
  • The data controller and processors must appoint a Data Protection Officer (DPO) to ensure compliance.
  • The DPO is a bridge between the organization, data subjects, and regulators.
GDPR has significantly influenced AI governance globally. Its robust regulations ensure the responsible and ethical use of personal data in AI systems. Entities involved in AI development and deployment must adhere to GDPR rules, highlighting the regulation’s crucial role in shaping AI governance initiatives.
© Ching-Fu Lin and NTHU, proofread by ChatGPT
This article is from the free online

AI Ethics, Law, and Policy

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now