My latest in @the_hindu explores the new world disorder. “We are living in an interregnum — the old world fading, the new one unformed. The danger is not that the system collapses overnight, but that it decays slowly, leaving a vacuum filled by opportunism and coercion. The promise of 1945 was that law could tame power. The peril of today is that power may once again tame law. The task for this generation is not to resurrect the past but to prevent the future from sliding into a world where the only real rule is that there are no rules at all.”
EU countries will discuss a single entry point for notifications related to data breaches under the GDPR and cybersecurity incidents to feed into a digital simplification package, according to a paper seen by @mlexclusive.
https://t.co/wPHsFAcRMv
Yesterday drawing from @internetfreedom's annual Privacy Supreme event, I wrote in @TheHinduComment what the draft data rules mean for ordinary Indians. They are too little, too vague and too late.
🚨 BIG! The EDPB has just published Opinion 28/2024, and the AI landscape in the EU will NEVER be the same. Here’s why this Opinion is a GAME-CHANGER and how the EDPB has thrown open the 🔥GDPR enforcement gates🔥:
➵ To begin, what is Opinion 28/2024? It covers data protection issues related to the processing of personal data in the context of AI models and aims to answer the four questions below:
➤ when and how an AI model can be considered as ‘anonymous’;
➤ how controllers can demonstrate the appropriateness of legitimate interest as a legal basis in the development phase;
➤ how controllers can demonstrate the appropriateness of legitimate interest as a legal basis in the deployment phase;
➤ what are the consequences of the unlawful processing of personal data in the development phase of an AI model on the subsequent processing or operation of the AI model.
➵ If you read my newsletter, you know I've been commenting on this topic since November 2022. I've been looking forward to an official opinion by the EDPB - beyond the ChatGPT task force report from May 2024 - clarifying how AI companies can potentially comply with legitimate interest (Article 6.1(f) of the GDPR). Why?
➵ Most AI companies today rely on legitimate interest to train AI models. If you understand how LLMs work and are familiar with GDPR interpretation and case law, you know that what most companies do today does NOT comply with legitimate interest requirements. Why?
➵ One of the main reasons is that they can't pass legitimate interest's balancing test (the third step) because they don't respect GDPR transparency requirements and don't allow data subjects to exercise their rights. As a consequence, they don't have a lawful ground to train AI in the EU.
➵ Among other things, this EDPB Opinion has indicated - with much more detail than the ChatGPT Taskforce Report - what AI companies can do to shift the balancing test in their favor. [HINT: IT WILL BE HARD].
➵ To give an example, this is one of the measures the EDPB suggests to AI companies so they can facilitate the exercise of individuals’ rights:
"Allowing the data subjects to exercise their right to erasure even when the specific grounds listed in Article 17(1) GDPR do not apply."
➵ Recent studies have shown that erasure in the context of AI models is not effective, and it's still possible to retrieve information after "deletion." Moreover, the EDPB specifically mentions that this should happen "even when the specific grounds listed in Article 17(1) GDPR do not apply," showing that the interpretation will favor data subject protection (and not the other way round).
🚨 There is A LOT to unpack (and a lot in between the lines) in this Opinion. Tomorrow, I'll send a deep dive to the 42,700+ subscribers of my weekly newsletter. To receive it, SUBSCRIBE below.
If you're a fan of @waitbutwhy, you're going to want to watch this interview. In this first episode of Awakening the Machine, Tim Urban describes the stakes, risks, and promise of the current moment in AI development.
Journalists are meant to speak truth to power. That's our job. But what do you do when that power is your own news org?
This thread (professional suicide note?) is about @guardian & @ObserverUK's future. Because it turns out you can’t believe everything you read on a poster..
1/
Hello all! We are hiring for a Policy Counsel role in our Brussels office! Seriously, you could not join a kinder, nicer, geekier team. Check out the details below and apply soon, we’ll be reviewing applications on a rolling basis: https://t.co/12zh30WRx5
#privacyishiring
🚨Below is the open letter signed by Meta, Spotify, and many others, asking for regulatory certainty on AI in Europe, followed by my comments.
[If you are interested in AI, data protection, and want to understand what this letter is really about, this long post is for you]
"EUROPE NEEDS REGULATORY CERTAINTY ON AI
Fragmented regulation means the EU risks missing out on the AI era.
We are a group of companies, researchers and institutions integral to Europe and working to serve hundreds of millions of Europeans. We want to see Europe succeed and thrive, including in the field of cutting-edge AI research and technology. But the reality is Europe has become less competitive and less innovative compared to other regions and it now risks falling further behind in the AI era due to inconsistent regulatory decision making.
In the absence of consistent rules, the EU is going to miss out on two cornerstones of AI innovation. The first are developments in ‘open’ models that are made available without charge for everyone to use, modify and build on, multiplying the benefits and spreading social and economic opportunity. The second are the latest ‘multimodal’ models, which operate fluidly across text, images and speech and will enable the next leap forward in AI. The difference between text-only models and multimodal is like the difference between having only one sense and having all five of them.
Frontier-level open models like Llama – based on text or multi-modal – can turbocharge productivity, drive scientific research, and add hundreds of billions of euros to the European economy. Public institutions and researchers are already using these models to speed up medical research and preserve languages, while established businesses and start-ups are getting access to tools they could never build or afford themselves. Without them, the development of AI will happen elsewhere – depriving Europeans of the technological advances enjoyed in the US, China and India.
The EU’s ability to compete with the rest of the world on AI and reap the benefits of open source models rests on its single market and shared regulatory rulebook. If companies and institutions are going to invest tens of billions of euros to build Generative AI for European citizens, they require clear rules, consistently applied, enabling the use of European data. But in recent times, regulatory decision making has become fragmented and unpredictable, while interventions by the European Data Protection Authorities have created huge uncertainty about what kinds of data can be used to train AI models. This means the next generation of open source AI models, and products, services we build on them, won’t understand or reflect European knowledge, culture or languages. The EU will also miss out on other innovations, like Meta’s AI assistant, which is on track to be the most used AI assistant in the world by the end of this year.
Europe faces a choice that will impact the region for decades.
It can choose to reassert the principle of harmonisation enshrined in regulatory frameworks like the GDPR so that AI innovation happens here at the same scale and speed as elsewhere. Or, it can continue to reject progress, betray the ambitions of the single market and watch as the rest of the world builds on technologies that Europeans will not have access to.
We hope European policymakers and regulators see what is at stake if there is no change of course. Europe can’t afford to miss out on the widespread benefits from responsibly built open AI technologies that will accelerate economic growth and unlock progress in scientific research. For that we need harmonised, consistent, quick and clear decisions under EU data regulations that enable European data to be used in AI training for the benefit of Europeans. Decisive action is needed to help unlock the creativity, ingenuity and entrepreneurialism that will ensure Europe’s prosperity, growth and technical leadership."
➡️My comments
This is the paragraph where you can read between the lines:
"But in recent times, regulatory decision making has become fragmented and unpredictable, while interventions by the European Data Protection Authorities have created huge uncertainty about what kinds of data can be used to train AI models."
EU regulations (such as the GDPR and the AI Act) are neither fragmented nor unpredictable, as companies have time to comply, and, as EU regulations, they are directly applicable to all Member States.
What's bothering them (especially Meta) is the lack of a firm position from EU data protection authorities on how to apply GDPR in the context of AI training.
Let's use the example of the lawful grounds to process data to train AI (Article 6 of the GDPR).
To process personal data in the EU (such as to train AI), you must rely on one of the grounds established in Article 6 of the GDPR. Most companies currently rely on legitimate interest. The other feasible alternatives in this commercial context would be contract or consent.
However, data protection authorities in the EU disagree on whether it's possible to rely on legitimate interests to train AI.
The Dutch Data Protection Authority, for example, said that "scraping is almost always illegal." The European Data Protection Board (EDPB)'s ChatGPT Task Force Report gave suggestions on how to comply with the GDPR in this regard. However, it's a preliminary report and not a final stand, and the suggestions are mostly improbable or unfeasible at this point.
It's unclear which additional assurances (both technical and legal) would be necessary to make sure that legitimate interest is lawful and will not lead to a GDPR fine.
As I discussed live with @maxschrems last week, Meta and other companies who want to use personal data to train AI could always ask for people's consent. An opt-in mechanism through Facebook and Instagram would make sure that people are informed about this practice and choose to consent or not. This would be legal according to the GDPR, and people would be happy to have the opportunity to choose (and not be dragged into the AI machine without being asked).
Additional issues that bother Meta (and the other companies they brought to sign the letter) are data subjects' rights, data protection principles, and privacy by design. How to comply with those in the context of AI training and fine-tuning?
There is a lack of a uniform firm stand from Data Protection Authorities on how to interpret and apply the GDPR in the context of AI training (what is feasible, what is not, and what can be concrete workable assurances), but there is also a lack of interest in being more transparent.
Most companies don't want to be fully transparent about the data they use to train AI (remember that Mira Murati interview about the data used to train Sora? She clearly didn't want to say it on record).
They are also extremely scared of letting people choose if they want their data used to train AI (opt-in instead of a cumbersome opt-out mechanism).
The letter is extremely dramatic here:
"This means the next generation of open source AI models, and products, services we build on them, won’t understand or reflect European knowledge, culture or languages. The EU will also miss out on other innovations, like Meta’s AI assistant, which is on track to be the most used AI assistant in the world by the end of this year."
It's referring to the recent Meta vs. Irish DPC case, where Meta decided not to use data from EU users to train AI after @NOYBeu's complaints. Well, they could have asked for people's consent, but the "yes" rate would be much lower than they wanted, so they didn't even try.
So yes, the EU needs to be more decisive and clear on how exactly companies can comply with the GDPR to train AI. A final document with practical, acceptable measures and guardrails would be a good idea.
However, companies must be much more transparent and ethical. Even this letter is not totally transparent as the specific issue raised (Meta not using EU data) could have been immediately solved if they had asked for people's consent, but they didn't want this option and didn't mention it here.
People feel they are being treated like feedstock to train AI: unconsented, uninformed, and not compensated. Companies must remember that there are people behind the data. If they are open to that, I'm sure they will find a way to comply with EU laws.
➡️Below you'll find links to:
- the open letter
- my conversation with Max Schrems (where we discuss many of these issues)
- my newsletter article where I explain the issue of legitimate interest in the context of AI training and the lack of a firm & uniform decision by EU Data Protection Authorities.
The French cement giant, Lafarge, started operating in Syria just before the civil war erupted.
When Islamic State took over the region, Lafarge paid them protection money so it could keep trading.
The consequences are still playing out
https://t.co/5UPZYsttPy
Announcement: @TheQuint has started a tracker for hate crimes and communal incidents. It's still a work in progress but we want to ensure no hate crime goes unreported. Please check it out and share widely
https://t.co/W0N1QOcYM0
Day 1 update: 📢
Since yesterday, we've had 19 new members sign up.
Thank you for spreading the word, we are 6.33% closer to our target.
Help us get to 300 new members 🥷💞