The European Data Protection Supervisor (EDPS) has sounded a warning, revealing that the core pillars of the bloc’s data protection and privacy structure are currently facing fierce opposition from industry influencers. In fact, they may be subjected to harsh scrutiny from lawmakers in the upcoming parliamentary session.
“We have quite strong attacks on the principles themselves,” cautioned Wojciech Wiewiórowski, the head of the regulatory body responsible for ensuring the compliance of European Union institutions with the bloc’s data protection regulations. This statement was made during a Q&A session with members of the European Parliament’s civil liberties committee. Concerns were raised that the European Union’s General Data Protection Regulation (GDPR) is at risk of being diluted.
He expressed particular concern for two essential GDPR principles: minimization and purpose limitation. These principles are likely to be called into question in the coming years.
With elections for the parliament scheduled for June and the Commission’s term coming to an end in 2024, changes in the EU’s leadership are imminent. Any shift in perspective from the incoming lawmakers may have far-reaching consequences for the bloc’s stringent protection of individuals’ personal data.
Although the GDPR has only been in effect since May 2018, Wiewiórowski elaborated on the potential challenges that the regulatory body will face in the future during a press conference after the release of the EDPS’ annual report. He noted that the next parliament would comprise of very few lawmakers who were involved in drafting and passing the landmark privacy framework.
“We can say that these people who will work in the European Parliament will see the GDPR as a historic event,” he remarked. He also predicted that the incoming parliamentarians would be eager to debate whether the legislation is still relevant. However, he also acknowledged that the review process is ongoing, with each new parliament bringing in fresh perspectives and ideas.
He also highlighted the immense pressure from industrial lobbyists, particularly their complaints against the principle of purpose limitation in the GDPR. Some members of the scientific community also view this aspect of the law as a hindrance to their research.
According to Wiewiórowski, “[data] controllers have an expectation that they will be able to reuse the data collected for a particular purpose to discover unknown information.” He also mentioned a opinion expressed by a business representative, that the purpose limitation principle is “one of the biggest crimes against humanity.” They believe that future data needs may arise, and any limitations imposed by the law would hinder the process.
“I do not agree with this view,” Wiewiórowski stated. “But I cannot ignore the fact that this is a question that is being raised.”
If the GDPR’s purpose limitation and data minimization principles are weakened, it could have significant implications for privacy in the region. The EU was the first to introduce a comprehensive data protection framework and is still considered to have the strongest privacy laws globally. However, the GDPR has also inspired similar legislations around the world.
One of the key requirements of the GDPR is to process personal data only to the minimum extent necessary for a specific purpose. Moreover, data collected for one purpose cannot be used for any other reason without proper authorization.
The purpose limitation principle emphasizes the need for transparency in the intended use of personal data, instead of collecting it indiscriminately in anticipation of future needs. Additionally, data minimization encourages the collection of only the minimum data required. However, the recent surge in the development of powerful generative AI tools has created a demand for vast amounts of data, which goes against the GDPR’s principles.
For instance, OpenAI, the creators of ChatGPT, are currently facing several challenges and investigations related to GDPR compliance, particularly concerning the legal basis for processing individuals’ personal data for training their AI model.
Although Wiewiórowski did not explicitly mention generative AI as the main driver of the “strong attacks” on the purpose limitation principle, he did acknowledge AI as one of the significant challenges faced by data protection regulators in Europe.
“The problems associated with artificial intelligence and neuroscience will be the most crucial aspects in the next five years,” he predicted, speaking about the emerging technological challenges.
“The technological aspects of our challenges are evident during the AI revolution, where we are witnessing the democratization of tools. However, we must also remember that during times of instability, such as the current situation with Russia’s war in Ukraine, technology advances at an unprecedented rate,” he added.
Wiewiórowski also mentioned the role of wars and conflict in driving the use of data and AI technologies, citing examples such as the use of AI in satellite imagery analysis and geospatial intelligence in Ukraine. He believes that the effects will be felt across various sectors in the upcoming years.
Speaking about neuroscience, he expressed concerns about regulatory challenges arising from the transhumanism movement, which aims to enhance human capabilities by connecting them physically with information systems. He described this development as “not science fiction,” stating that it is already in progress. He emphasized the importance of being prepared for the legal and human rights implications of such advancements.
Notably, companies such as Elon Musk’s Neuralink and Facebook-owned Meta have been reported to be working on projects involving the integration of AI technology with human biology, including reading and interpreting human thoughts.
The potential risks to privacy in an age where technology and human biology are becoming increasingly intertwined cannot be ignored. Therefore, any attempt to weaken the EU’s data protection laws driven by AI is likely to have detrimental effects on the citizen’s human rights in the long run.
