Abstract
The use of AI systems and related applications records a continuous and constant increase in different fields of research and daily life, based on large amounts of data flows that are uploaded and circulating online and, as stated by doctrine, constitute the main resource of the digital economy. In recent years, however, the development of communication channels and information flows has led to an exponential increase in the amount of data available, making it possible to develop a series of AI applications. On these considerations it is necessary to identify the legal framework of the relationship between circulation online and processing of data and AI systems, both with reference to personal data (which constitute the most significant percentage) and with reference to non-personal data, regarding to the regulatory framework existing (based mainly on the GDPR and Regulation UE 1087/2018). If, indeed, the spread and increase of AI systems can contribute to the EU strategy of increase the digital single market, it is nevertheless necessary to maintain the optimal standards of protection of personal data and, more generally, of the protection of the personality rights on (and in) the Net.
DiGIES—Università Mediterranea di Reggio Calabria: this paper is the result of the common studies and dialogue of the two authors; in the drafting of the final text, Angela Busacca wrote paragraphs 1 and 3 and Melchiorre Monaca paragraph 2.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Art. 4 defines, for the purpose of Regulation, personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
- 2.
Art. 4 defines, for the purpose of Regulation, processing activities as any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- 3.
Art. 25 Data protection by design and by default: Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. 2. The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons. 3. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.
- 4.
Art. 22 Automated individual decision-making, including profiling: (1) The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. (2) Paragraph 1 shall not apply if the decision: (a) is necessary for entering into, or performance of, a contract between the data subject and a data controller; (b) is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or (c) is based on the data subject’s explicit consent. (3) In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.
- 5.
Article 15 Right of access by the data subject: (1) The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: … (h) | the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
References
Bassini, M., Liguori, L., Pollicino, O.: Sistemi di Intelligenza Artificiale, responsabilità e accountability. Verso nuovi paradigmi? In: Pizzetti, F. (a cura di) Intelligenza artificiale, protezione dei dati personali e regolazione, p. 333. Ed. Giappichelli Torino (2018)
Belisario, E.: art. 15. Diritto di accesso dell’interessato. In Riccio, G.M., Scorza, G., Belisario, E. (a cura di) GDPR e normativa privacy, p. 219. Ed. WKI, Milano (2018)
Bichi, R.: Intelligenza artificiale tra “calcolabilità” del diritto e tutela dei diritti in Giurisprudenza Italiana, p. 1772 (2019)
Bifulco, R.: Intelligenza artificiale, internet e ordine spontaneo. In Pizzetti, F. (a cura di) Intelligenza artificiale, protezione dei dati personali e regolazione, p. 383. Ed. Giappichelli Torino (2018)
Bolognino, L., Pelino, E., Bistolfi, C.: Il nuovo regolamento privacy europeo. Ed. Giuffrè Milano (2016)
Busto, N.: La personalità elettronica dei robot: logiche di gestione del rischio tra trasparenza e fiducia. In Cyberspazio e diritto, p. 499 (2017)
Caia, A.: art. 22 Processo decisionale automatizzato relativo alle persone fisiche, compresa la profilazione. In Riccio, G.M., Scorza, G., Belisario, E (a cura di) GDPR e normativa privacy, p. 219. Ed. WKI, Milano (2018)
Contucci, P.: Intelligenza artificiale tra rischi ed opportunità in Il Mulino, p. 637 (2019)
Coppini, L.: Robotica e intelligenza artificiale: questioni di responsabilità civile in Politica del diritto, p. 713 (2018)
D’Acquisto, G.: Qualità dei dati e Intelligenza Artificiale: intelligenza dei dati e intelligenza dei dati. In Pizzetti, F. (a cura di) Intelligenza artificiale, protezione dei dati personali e regolazione, p. 265. Ed. Giappichelli Torino (2018)
D’Acquisto, G., Naldi, M.: Big Data e Privacy by Design. Ed. Giappichelli Torino (2017)
De Gregorio, G., Torino, R.: Privacy protezione dei dati personali e Big Data. In Tosi, E. (a cura di) Privacy Digitale, p. 447. Ed. Giuffrè, Milano (2019)
Di Resta, F.: La nuova “privacy europea”. Ed. Giappichelli Torino (2018)
Falce, V., Ghidini, G., Oliveri, G.: Informazione e Big data tra innovazione e concorrenza. Ed. Giuffrè Milano (2017).
Farace, D.: Privacy by design e privacy by default. In Tosi, E. (a cura di) Privacy Digitale, p. 485. Ed. Giuffrè, Milano (2019)
Finocchiaro, G.: Intelligenza artificiale e protezione dei dati personali. In In Giurisprudenza Italiana, p. 1670 (2019)
Finocchiaro, G.: Il nuovo regolamento europeo sulla privacy e sulla protezione dei dati personali. Ed. Zanichelli Bologna (2017)
Gambino, A.M., Stazi, A., Mula, D.: Diritto dell’informatica e della comunicazione. Ed. Giappichelli Torino (2019)
Gorassini, A.: Lo spazio digitale come oggetto di un diritto reale? In Rivista di diritto dei media (2018)
Italiano, G.F.: Le sfide interdisciplinari dell’intelligenza artificiale. In Analisi giuridica dell’economia, p. 9 (2019)
Messinetti, R.: La tutela della persona umana versus l’intelligenza artificiale. Potere decisionale dell’apparato tecnologico e diritto alla spiegazione della decisione automatizzata in Contratto e Impresa, p. 861 (2019)
Moro Visconti, R.: L’intelligenza artificiale: modelli di business e criteri di valutazione in Il diritto Industriale, p. 421 (2018)
Moro Visconti, R.: La valutazione delle blockchain: Internet of Value, network digitali e smart transaction, in Il diritto Industriale, p. 301 (2019)
Musacchio, M., Guaita, G., Ozzello, A., Pellegrini, M.A., Ponzani, P., Zilich, R., De Micheli, A.: Intelligenza Artificiale e Big Data in ambito medico: prospettive, opportunità e criticità. J. AMD, 21-3, 204 (2018)
Naldi, M.: Prospettive economiche dell’Intelligenza Artificiale. In Pizzetti, F. (a cura di) Intelligenza artificiale, protezione dei dati personali e regolazione, p. 225. Ed. Giappichelli Torino (2018)
Orefice, M.: I Big Data e gli effetti su privacy, trasparenza e iniziativa economica. Ed. Aracne Roma (2018)
Ottolia, A.: Big data e innovazione computazionale. Ed. Giappichelli Torino (2017)
Pascuzzi, G.: Il diritto dell’era digitale. Ed. Il Mulino Bologna (2017)
Passaglia, P., Poletti, D.: Nodi virtuali legami informali: internet alla ricerca di regole. Pisa University press (2017)
Pellecchia, E.: Privacy, decisioni automatizzate e algoritmi. In Tosi, E. (a cura di) Privacy Digitale, p. 417. Ed. Giuffrè, Milano (2019)
Pizzetti, F.: La protezione dei dati personali e la sfida dell’Intelligenza Artificiale. In Pizzetti, F. (a cura di) Intelligenza artificiale, protezione dei dati personali e regolazione, p. 5. Ed. Giappichelli Torino (2018)
Poletti, D., Causarano, M.C.: Autoregolamentazione privata e tutela dei dati personali: tra codici di condotta e meccanismi di certificazione. In Tosi, E. (a cura di) Privacy Digitale, p. 369. Ed. Giuffrè, Milano (2019)
Ruffolo, U., Amidei, A.: Intelligenza artificiale e diritti della persona: le frontiere del “transumanesimo”. In Giurisprudenza Italiana, p. 1658 (2019)
Rulli, E.: Giustizia predittiva, intelligenza artificiale e modelli probabilistici. Chi ha paura degli algoritmi. In Analisi Giuridica dell’Economia, p. 533 (2018)
Sica, S., D’Antonio, V., Riccio, G.M.: La nuova disciplina europea della privacy. Ed. Giappichelli Torino (2016)
Tosi, E.: Privacy digitale, persona e mercato: tutela della riservatezza e protezione dei dati personali alla luce del GDPR e del nuovo Codice della Privacy. In Tosi, E. (a cura di) Privacy Digitale, p. 1. Ed. Giuffrè, Milano (2019)
Zellini, P.: La dittatura del calcolo. Ed. Adelphi Milano (2018)
Zeno Zencovich, V.: Dati, grandi dati, dati granulari e la nuova epistemologia del giurista. In Rivista di diritto dei media (2018)
Zeno Zencovich, V.: Profili negoziali degli attributi della personalità, in Il diritto dell’informazione e dell’informatica, p. 545 (1993)
CONVENTION 108—28 January 1981—Council of Europe Convention for protection of Individuals with regards to Automatic Processing of Personal Data
Modernised Convention for protection of Individuals with regards to Automatic Processing of Personal Data—18 May 2018—Council of Europe, 128th Session of the Committee of Minister
GUIDELINES ON AI AND Data PROTECTION (T-PD 2019/01), Consultative Committee of the Convention on the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108)
REGULATION (EU) 2018/1807 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 November 2018 on a framework for the free flow of non-personal data in the European Union
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
COMUNICATION 795/2018 Communication from the Commission to the European Parliament, the European Parliament, the European Council, the Council, the European economic and social Committee, and the Committee of the Regions on a “Coordinated Plan on Artificial Intelligence”
CEPEJ European Ethical Charter on the use of artificial intelligence (AI) in judicial systems and their environment, adopted at the 31st plenary meeting of the CEPEJ (Strasbourg, 3–4 December 2018)
European Parliament Resolution 12 February 2019 on a comprehensive European industrial policy on artificial intelligence and robotics 2018/2088 (INI)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Busacca, A., Monaca, M.A. (2020). Processing of Personal Data and AI: GDPR Guarantees and Limits (Between Individual Data and BIG DATA). In: Marino, D., Monaca, M. (eds) Economic and Policy Implications of Artificial Intelligence. Studies in Systems, Decision and Control, vol 288. Springer, Cham. https://doi.org/10.1007/978-3-030-45340-4_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-45340-4_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-45339-8
Online ISBN: 978-3-030-45340-4
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)