Privacy first, data second!
What you need to know about the new personal data directives and their implications for computer vision.
If there is one thing that you’ve learned with us so far it is that AI is moving fast and where technologies progress, regulations must evolve as well. AI is based on data processing and the European Parliament has therefore decided to update personal data regulation in order to catch up. Thus, we wanted to give you a grasp on exactly what’s changing and how it can impact your business.
More and more services are built using personal data to personalize offers, target specific audiences or create automatic recognition systems. At deepomatic, we have encountered many use cases in which personal data collection is at the core of the systems we co-create with our clients. To protect each and everyone of us there are institutions that exist to ensure safe and controlled use of our identities and some rules must be followed when using personal data.
The new French general data protection directives will be implemented on the 25th of May 2018. They are a direct application of the European directives voted in 2016. The first main change that you should be aware of is that from next May onwards you will no longer be required to make a deposition at the CNIL to make use of personal data but you will be held directly responsable concerning the conformity of your personal data directives.
So how does this impact computer vision and what actions should be taken ?
Good job Sherlock !
First things first, let’s define who exactly is concerned by the new directives by looking at the CNIL’s (Commission Nationale de l’Informatique et des Libertés — the French National Commission for Data Protection) definition of personal data.
You may not be aware of it but personal data isn’t just pictures of faces or names. According to the CNIL, personal data means any information relating to an identified or identifiable individual. Defining if your information concerns an identified person is easy but what about information related to an identifiable individual ? A social security number, a licence plate or any feature specific to his/her physical, cultural or social identity is considered personal data. It can be a very misleading concept. One could falsely believe that if you can’t determine a person’s identity at first glance then it can’t be personal data. Yet it is possible to combine information from various sources to identify someone and if your data can help to do that, it falls within the scope of the CNIL’s definition of personal data.
Let’s try with an example. Imagine you have a picture of people walking down a street with place and time captions but we don’t see their faces. It might be possible to retrieve the identity of the individuals by cross-checking their clothes, skin colors or physical dimensions to the time and place at which the pictures were taken.
Now if you are looking to build a computer vision system and your data meets the previous definition criteria of personal data then keep reading ! To comply with the law, you basically have two options : fulfill directive requirements or delete personal information in your dataset.
1- Meet the requirements …
Like Mike, we are not real legal experts and won’t bore you with learned-by-heart articles, let’s just take a look at the main principle introduced by the new directives.
- First, your data processing activities must fulfill a defined purpose. It is illegal to collect personal data without any reason or for an undefined future usage. A defined purpose for instance could be to optimize autonomous driving thanks to cameras embedded in cars.
- Alongside with this first principle, the collected data must be relevant to the purpose and strictly necessary for its completion.
To illustrate these first two directives, take a train company that wishes to make train stations more secure by installing an automated weapon detection system. This is a defined purpose. To do that, they will need footage of video surveillance cameras featuring users’ faces. This is personal data but it is relevant and necessary for achieving the objective.
3. Your data processing activities, including who you store your data, must be limited in time, restricted to a relevant duration to achieve your objective.
4. And last but not least, you will need to obtain the consent of the individual whose identity is shown in your data. There are different ways of doing this: you can either ask them directly or use more implicit methods to obtain consent. For instance, if you are filming people in a public space, it is possible to inform them that you are collecting data by putting up a sign or offering an alternative path if they wish not to be filmed.
If you cannot obtain consent, then keep reading to learn your last option.
2- Or erase the trace !
What if the easiest way to comply to a law would be if it didn’t apply to you? It’s exactly what you can do by anonymizing your data before processing it. To do so, there shouldn’t be any trace of personal information in your picture (or any other type of data) that would make it possible to identify an individual. In computer vision, you would most likely anonymize data by putting a black box around the identifier for instance.
But be careful not to forget the official definition of personal data! Blurring or erasing a single face is not always enough to overcome the presence of other personal information contained in the data. However, it is a very good practice encouraged by the CNIL that improves security and shows good willingness to ensure individual rights to privacy. Anonymization can actually be easily achieved through using computer vision. By training a detection model specialized in recognizing faces or licence plates for instance, you can then automatically apply a black box or blur them. If you are interested in learning more about these last solutions, please do not hesitate to get in touch with us !
Artificial intelligence is proving to be a controversial topic of conversation from a legal standpoint. The new directives are a first step towards a safe and ethical use of personal data in order to build intelligence systems but one can expect that in the near future further regulations may be needed. Lawmakers will probably keep a close eye on AI progress in the following years to make sure that it doesn’t compromise not only on the privacy of individuals but also on their safety and integrity.
You can contact us at : email@example.com or visit our website at www.deepomatic.com
For more information about French Data Protection laws check out https://www.cnil.fr/fr.