NPA 2024: From mindreading AI to the enforcement of the GDPR

Författare:

|

Datum:

|

The Nordic Privacy Arena (NPA) is the Nordic region’s largest annual gathering on the topic of data protection. Last month, the 9th edition of the NPA took place from September 30 to October 1 at Münchenbryggeriet in Stockholm. It included 25 agenda items and attracted many participants who took part in person and online.

This is the second in a three-part series on notable presentations and discussions centred on the topic of AI, which has become increasingly important with the EU’s AI Act and rapid technological advances. 

Today’s article covers two keynote speeches. Oskar MacGregor from the University of Skövde spoke about the role of privacy in AI and neuroscience. David Törngren, Acting Director General of the IMY at the time of the conference, gave an overview of the current state of data protection and its future direction, as well as the goals and challenges of the IMY.

Exploring the Intersection of AI, Neuroscience, and Privacy

Oscar MacGregor, who has a background in philosophy and neuroscience, began his talk by debunking common misconceptions about neuroscience. He cited the case of a 22-year-old woman with epilepsy who had an implant placed in her visual cortex to prevent seizures. Oscar claimed that the electrode not only suppressed the seizures, but also recorded neuronal data from her visual cortex. The researchers fed her thousands of images and recorded her brain activity. With the help of machine learning, they were able to transcribe their dreams live in black and white. This sounded very plausible, but he later revealed that it was a lie to show how easily people are fooled by the excitement of neuroscience.

Limitations of EEG and fMRI

Oscar pointed out that while EEG and fMRI offer the ability to listen to brain activity, they also have their limitations. He gave examples of exaggerated claims, such as reading thoughts or dreams with EEG, which are far from reality. He emphasized that neuroscience is complex and that brain signals are noisy. This means that there is not just one thing going on in a person’s brain that you can isolate and represent as the person’s dream or thought. He clarified that brain signals actually pose less of a privacy risk than other data such as browsing history or geographic location.

Misuse of Neuroscience 

He stated that while neuroscience itself isn’t a direct threat to privacy, its knowledge can be misused. For instance, the food industry could exploit neuroscience to create ultra-processed foods that make people crave them, overriding natural safety mechanisms like feeling full. This idea extends to other addictions like social media and smartphones, highlighting indirect threats to privacy.

Ais impact on privacy

Oskar explained that AI, in particular machine learning, increases existing privacy problems instead of creating new ones. He spoke about the automation of tasks, the derivation of sensitive data from trivial data and the amplification of bias and discrimination. He provided examples of how AI can derive sensitive information from seemingly innocuous data such as Facebook likes and how it can be used for mass persuasion. Oskar also highlighted the challenges of regulating AI and the limitations of current regulatory mechanisms.

The need for stronger regulation

Oskar noted that AI’s impact on privacy challenges existing regulations like informed consent and individual rights. He stressed the need for stronger regulations to address these issues, arguing that regulation and innovation can coexist. Just as banning child labour in mines 100 years ago did not hinder progress, modern regulations can ensure innovation aligns with societal values. While individual rights are necessary, they are insufficient when dealing with large, systemic data models. 

Data Protection’s Present and Future

David Törngren, at the time, Acting Director General of the Swedish Authority for Privacy Protection (IMY), gave a speech on data protection’s present and future. With his extensive legal experience, he provided an overview of IMY’s goals, methods, and upcoming challenges and opportunities.

David outlined IMY’s mission to ensure effective data protection through complaint handling, guidance, compliance enforcement, and legislative participation. He also announced Eric Leijonram as the new Director General and a budget increase of 34 million SEK for IMY in 2025.

Focus Areas for IMY in 2024

David outlined the areas of focus for IMY in 2024, with a particular emphasis on complaints handling. He explained that recent case law from the Swedish Supreme Administrative Court has necessitated changes to IMY’s IT-systems, support systems, organisation and internal procedures. He also spoke about the importance of clarity in case law and the ongoing development of European and Swedish case law on complaints handling

Challenges and Opportunities in Cross-Border Cases

David then addressed the challenges and opportunities in handling cross-border cases, highlighting the new EU procedural regulation which aims to harmonise procedures for cross-border cases. While recognising the potential benefits of avoiding conflicts between national administrative laws, he also raised concerns as the regulation has been described by some as bureaucratic and burdensome.

Involvement in legislation

He explained that IMY has significantly contributed to drafting new laws, particularly in relation to organised crime, which strike a balance between law enforcement and privacy protection. The Swedish Government has actively introduced these laws. IMY’s experts participate in government committees and draft responses during public consultations. He emphasised IMY’s role in advising the government at an early stage of the legislative process in order to better protect citizens’ privacy. An important topic at the moment is the upcoming legislative reform that will give employers more powers to check the backgrounds of their employees. 

Supervision and Enforcement

David summarised IMY’s monitoring and enforcement activities, focusing on investigations based on complaints and the resolution of old cases. He pointed out that litigation, especially in administrative sanctions and appeals, requires a lot of time and resources.

Preparing for the digital decade

Looking to the future, David pointed to the challenges associated with the Digital Decade, in which the EU has implemented or is implementing various pieces of technology legislation, such as the AI Act, the European Health Data Space, the Digital Services Act and the Digital Markets Act. He emphasised the need for consultation and coordination between authorities and the importance of proactive action. IMY’s priorities include the efficient processing of cases, digital development and preparation for the AI Act.