This thesis explores which issues and challenges developers and users of AI face by complying with Regulation 2016/679 on data protection (GDPR), and thus, the hypothesis is that GDPR introduces significant difficulties. The thesis is meant to be a tool for lawyers, engineers and managers alike to identify the rules that AI need to abide by.

The structure of the substance of the thesis consists of an initial presentation of the technical aspects of artificial intelligence with relevant examples and illustrations. This is followed by a systematic and thorough examination of GDPR’s provisions on its principles as a starting point. The analysis of the thesis includes a review of current technologies that can potentially alleviate some of the challenges. The conclusion summarizes the discovered issues and challenges from the analysis and compares them and their connections in addition to evaluating their possible solutions where possible.
Some of the inherent challenges for developers and users of AI are related to the similarities with big data where voluminous data sets are preferred to improve precision of the models’ predictions and decisions. Other challenges originate from the complexities of these types of algorithms – especially in online models and deep learning.

GDPR requires controllers to specify the purposes of the collections of data and to minimize the amount. Controllers may not be able to specifically determine the results and thus the purposes of collections. Controllers must take the contexts of the processes into account to determine the suitable specificity.
From the stated purposes, the controllers must assess whether the personal data is necessary. It is not always possible to determine when data is necessary for an AI to process as the statistical analysis is automated. The AI will determine causalities that it can learn from, but only then does it know which clusters of data were utilized.

However, to delete or even correct personal data within an AI is no small task. This issue concerns primarily the situation where data turns out to be unnecessary for the purposes, the rights to be forgotten and rectification. From a technical stand point, it may not be possible at all to delete or rectify data because of the complexities of especially deep learning, and GDPR’s lack of clarity on the required measures regarding this issue displays its shortcomings.

A major concern regarding the processing of personal data by AI relates to the lack of transparency of the processing as well as decisions. Automated decision-making requires demonstration of the “logic”, which is also a general requirement throughout the regulation and as such calls for the implementation of methods for the AI to explain itself – a measure that would solve many of the issues concluded upon in this thesis.

To ensure appropriate security, the controllers must identify both assets and threats. Assets should be protected, while threats should be protected against. Certain threats are specific to different types of AI, namely reverse engineering, adversarial injections and backdoors.

Online models and AI using deep learning techniques face greater challenges; hence, the specific AI should be identified. There are certain possible solutions to these issues; especially the use of pseudonymization, technological approaches to encryption and particularly aggregation as well as the classification of the AI as a statistical or scientific purpose. Although the most ideal solution tends to be the avoidance of personal data altogether, of which there are different methods to carry out without compromising the statistical results.

GDPR does not set impossible responsibilities for controllers to comply with. Online models and deep learning AI do face challenges where solutions are currently in a grey area. Controllers should however be better equipped to face the challenges of the regulation by considering the conclusions of this thesis.