Embed Size (px)
Citation preview
1 for all. Legal | Tax | Compliance
Regulatory Framework of
Big Data and Artificial
Intelligence
Dr. Martin Eckert
Microsoft 1978
MME | 2
Bildquelle: hoaxes.org
Microsoft 2010
MME | 3
Bildquelle: Tagesanzeiger
The Lawyer‘s view on AI
MME | 4
What can go wrong?
Who is responsible?
Is there any regulation?
Is regulation needed?
How about contracts?How about exclusivity?
Who owns the results of projects?
Who is affected?
Are robots legal persons?
Tax issues?Insurance?
How can you make money?
IP?
AI: Regulation?
MME | 5
• In general: No definition of AI – difficult to setrules – so far no «AI law»
• AI/Big Data issues in Fintech?
• Financial damages (liability) - riskallocation
• Data Protection (GDPR) -> personal datamust be processed lawfully, fairly and in a transparent manner
• Safeguarding consumers (e.g. nodiscriminatory pricing)
AI: Future regulation
MME | 6
• Future:
• Political discussion
• Robots as legal persons?
• Expected: specific regulation (as foranimals, cars, autonomus cars)
• Insurance solution (nuclear power; cars)
• Code of Ethics UK: Select Committee on Artificial Intelligence
House of Lords
Isaac Asimov’s Three Laws of Robotics (1942)
AI: Responsibility - liability
MME | 7
• AI/Big Data goes wrong => financial damage=> damage claims
• No specific laws (so far)
• Contractual basis for damage claims
• Tort («unerlaubte Handlung»)
• Who is responsible and legally liable?
Clarify responsibility in contracts (riskallocation)
Insurance
AI/Big Data: Data Protection
MME | 8
• AI/Big Data in the General Data ProtectionRegulation (GDPR):
• Principles relating to processing ofpersonal data: personal data must beprocessed lawfully, fairly and in a transparent manner
• Profiling
• Automated individual decision-making
• Data Protection Impact Assessment (DPIA)
GDPR principles
MME | 9
• GDPR is only about personal data• Personal data = information relating to an
identified or identifiable natural person
➢ ≠ anonymous data (not in scope ofGDPR)
• Objective of GDPR: protection offundamental rights and freedoms of naturalpersons
➢ take always the perspective of the datasubject
GDPR principles
MME | 10
• Personal data must be processed lawfully, fairly and in a transparent manner(lawfullness, fairness and transparency)
• Lawfullness (art. 6 GDPR):
• Consent of the data subject
• or proccessing is necessary for: the performance of a contract or to conclude a
contract (e.g. credit rating)
the compliance with a legal obligation (AML)
legitimate interests of the controller (customeracquistion)
GDPR principles
MME | 11
• Accountability (controller is responsible for, and must be able to demonstrate GDPR compliance)
• Extensive information duties: Controller must provide a set of information to the datasubject (transparent information; rights ofdata subjects) => difficult in practice(machine learning)
• Personal data shall be adequate, relevant and limited to what is necessary in relation tothe purpose (data minimisation)
GDPR Profiling
MME | 12
Profiling means any form of automatedprocessing of personal data consisting of theuse of personal data to evaluate certainpersonal aspects relating to a natural person, in particular
➢ economic situation➢ personal preferences and interests➢ reliability, behaviour➢ performance of work
Automated decision-making
MME | 13
Data Protection Impact Assessment
MME | 14
Data Protection Impact Assessment
MME | 15
• prior to the processing• risk assessment (risks to the rights and
freedoms of natural persons)
• supervisory authorities will establish:
• black list (DPIA required)
• ev. white list (no DPIA required), e.g. Austria
• In case of high risk: consultation ofsupervisory authorities
Procurement
MME | 16
If you as controller engage another party toprocess personal data („Processor“), you must make sure that (Art. 28 GDPR):
How can procurement assure compliance?
GDPR: Standards & Certificates
MME | 17
• Data Processing Contrats
• Request Code of Conducts or Certificates
* not yet certified
GDPR Approach
MME | 18
• Many legal questions are still open (consolidation needed within EU) => wait and see / do not overreact
• Risk-based approach• Solid documentation, no perfectionism• Concentrate knowledge about data
protection• Common sense!
Draft Swiss Data Protection Act
MME | 19
Same principles are provided for in the revisedSwiss Data Protection Act:
• Art. 19 E-DSG: Informationspflicht bei einer automatisierten Einzelentscheidung
• Art. 20 f. E-DSG: Datenschutz-Folgenabschätzung / Konsultation
• Art. 8 E-DSG: Auftragsbearbeiter
• Art. 12 E-DSG: Zertifizierung
AI: FINMA
MME | 20
Circular / Rundschreiben 2013/8: Supervisory rules on market conduct in securities trading / Aufsichtsregeln zum Marktverhalten im Effektenhandel
• 18: Anyone engaging in algorithmic trading may not use it to give out false or misleading signals regarding the supply of, demand for or market price of securities.
• 61: Supervised institutions that engage in algorithmic trading (see margin no. 18) must employ effective systems and risk controls to ensure that this cannot result in any false or misleading signals regarding the supply of, demand for or market price of securities.
• 62: Supervised institutions must document the key features of their algorithmic trading strategies in a way that third parties can understand.
AI: Who owns the output?
MME | 21
• Copyright?
• Software (code) is protected (copyright)
• Does copyright exist in AI-generatedcontent (literary, musical, artistic work)? Non-human author? A protected work must be
original => the author must have created thework through his own skill, judgment an effort(human author required; UK). Other: Korea
If non-human author can creat a work: Who owns the copyright? Traditional: „Person“ making the necessary arrangements -> person directing the software. How aboutunsupervised „deep learning“?
AI: Who owns the output?
MME | 22
• Patents?
• Algorithms are not protectable (nopatents)
• Business method patents (USA)
• No software patents in the EU
➢ Use contracts to fill in IP gaps
➢ Attribution of ownership of results(including learning enhancements)
➢ Exclusivity, confidentiality, data security
➢ Trade or business secrets
AI: Who owns the results? Pitfalls
MME | 23
• Ownership of data?
• Open Source Software
• Third party rights
• Right to data portability (Art. 30 GDPR)
To do‘s as Controller (bank, FI)
MME | 24
• AI and Big Data projects need budget forlegal structuring and compliance
• Contracts:
• responsibility/interfaces/liability
• state-of-the-art Data Processing Agreements with IT-Providers (Processors)
• ownership of results (software, data, etc.)
• exclusivity, confidentiality clauses
• Data Protection Impact Assement (prior)
To do‘s as Provider (Fintech)
MME | 25
• Demonstrate GDPR compliance (dataprotection certificates/seals for products and services)
• „DPIA ready“
• Code of Conducts (Fintech industry)
• Contracts (responsibility, risk allocation)
To do‘s as Investor / Board
MME | 26
• Ask the right questions:
• Who is responsible for data protection?
• What has been done (DPIA? Certificate?)
• Can compliance (including the technicaland organisational measures) bedocumented?
• How about innovation protetion?
• Reduce risk / liability
Don‘t forget the lawyers
MME | 27
Bildquelle: Tagesanzeiger
Do the legal homework and relax!
Questions?
MME | 28
• Broad experience in the comprehensive consulting of internationally oriented
technology and trading companies (including M&A)
• Specialization: IT, IP, data protection, blockchain and technology law,
telecommunication sector and high-tech industries (including medical technology)
• Recognized expert in numerous large and complex IT outsourcing projects of banks
and insurance companies (see Legal 500)
• Conducts commercial law processes (commercial court proceedings and arbitration
proceedings)
• Lecturer at the HWZ University of Applied Sciences Zurich (CAS Digital Risk
Management)
• Accredited Data Protection Expert at ePrivacyseal GmbH
• Board activities (Bank, IT, medical technology)
• Attorney of the Delegation of the EU Commission to Switzerland (EU Embassy)
• Former Judge at the Federal Appeal Commission for Intellectual Property (2003-2006)
• WHOSWHOLEGAL.COM: «Martin Eckert is widely regarded by sources as a leading
light in data protection and an expert in complex projects.»
Dr. Martin Eckert
Legal Partner
www.mme.ch
Manuela Eisenhut
Assistant / HR
+41 44 254 99 70
1 for all. Legal | Tax | Compliance
Office Zurich
Zollstrasse 62
P.O. Box 1758
CH-8031 Zurich
T +41 44 254 99 66
F +41 44 254 99 60
Office Zug
Gubelstrasse 11
P.O. Box 613
CH-6301 Zug
T +41 41 726 99 66
F +41 41 726 99 60
www.mme.ch
© 2018 MME
