Don’t look now, but using Google Analytics to track your website’s audience might be illegal.
That’s the view of a court in Austria, which in January found that Google’s data product was in breach of the European Union’s General Data Protection Regulation (GDPR) as it was not doing enough to make sure data transferred from the EU to the company’s servers in the US was protected (from, say, US intelligence agencies).
But it’s just Google Analytics, right? What’s the big deal? Well for those working in AI and biotech, it matters, especially to those working outside of Europe with a view to expansion there.
For a start, this is a major precedent that threatens to upend the way many tech companies work, since the tech sector relies heavily on the safe use and transfer of large quantities of data.
Whether you use Google Analytics is neither here nor there; the case has shown that Privacy Shield — the EU-US framework that governs the transfer of personal information in compliance with GDPR — may not be compliant with European law after all. It may have to be torn up and a new agreement found, leaving companies to second guess their way forward in the meantime.
At Trans-Atlantic Loggerheads
The bigger picture here is that the EU increasingly is focused on preserving the privacy of its citizens online and offline. For instance, few countries have given citizens the “right to be forgotten” in online search results, as the EU as a federation has.
But AI and other technologies require heavy use of data. Machine learning systems need huge swathes of it to produce useful end results, whether that’s in healthcare, consumer industries, travel, or food. So, companies working with AI must be extra vigilant and sure of their processes. How is the data stored? Where is it moving from and to, both virtually and physically?
Even if you aren’t based in the EU right now, you might still have to play by the rules. Want to train up a new AI application on a crucial data set? Well, you’d better check where every data point within it comes from. Want to expand? At some point, one of your suppliers is likely to have operations in the EU. It is a tech hub after all. Want to hire the best staff? In today’s hybrid working culture you might be expanding your talent search further afield than ever before — to the EU and its population of half a billion people, say.
If you think your business will need to do any of the above, it’s time to start planning.
More Compliance Regulation is Coming
The internet might recognize geographic boundaries, but it is seldom bound by them. You, however, will be, or you risk facing large fines. This new interpretation of GDPR is just the start. EU AI-specific legislation is also coming up fast with the publication of a draft report due soon.
As it stands, this legislation will require broad compliance from companies, and will outright ban some uses for AI. It will also require human oversight and other checks for systems deemed high-risk, such as facial recognition applications.
Many tech leaders have blanched at the proposals. They say that they would stifle innovation, particularly in sectors the EU draft legislation would likely deem high risk, like healthcare. The EU’s focus on compliance may actually bring the public trust that AI research requires to be of any real world use, but at this point, neither stance matters. These changes are inevitable, and US tech companies cannot afford to ignore this looming issue.
Between a new interpretation of GDPR and legislation directly targeting the AI sector, you now are seriously at risk of falling foul of EU law unless you get to grips with the challenge.
Advances in AI and the applications it is used for are going to drastically increase the flow of data across the world — in ways we haven’t even imagined yet. One way or another, AI is going to make more trade than ever international, so it’s time to recognize this one Austrian court ruling as the canary in the virtual coal mine. We all need to think more carefully about what we do with people’s data, now.