“Please understand we cannot provide further information”: evaluating content and transparency of GDPR-mandated AI disclosures

The General Data Protection Regulation (GDPR) of the EU confirms the protection of personal data as a fundamental human right and affords data subjects more control over the way their personal information is processed, shared, and analyzed. However, where data are processed by artificial intelligenc...

Full description

Saved in:
Bibliographic Details
Published inAI & society Vol. 39; no. 1; pp. 235 - 256
Main Authors Wulf, Alexander J., Seizov, Ognyan
Format Journal Article
LanguageEnglish
Published London Springer London 01.02.2024
Springer Nature B.V
Subjects
Algorithms
Artificial Intelligence
Automation
Big Data
Computer Science
Content analysis
Control
Data processing
Effectiveness
Engineering Economics
General Data Protection Regulation
Information processing
Logistics
Marketing
Mechatronics
Methodology of the Social Sciences
Organization
Original Paper
Performing Arts
Robotics
Automated data processing
Information disclosures
Explainable AI
Artificial intelligence
Empirical legal studies
GDPR
Online AccessGet full text

Cover

More Information
Summary:The General Data Protection Regulation (GDPR) of the EU confirms the protection of personal data as a fundamental human right and affords data subjects more control over the way their personal information is processed, shared, and analyzed. However, where data are processed by artificial intelligence (AI) algorithms, asserting control and providing adequate explanations is a challenge. Due to massive increases in computing power and big data processing, modern AI algorithms are too complex and opaque to be understood by most data subjects. Articles 15 and 22 of the GDPR provide a modest regulatory framework for automated data processing by, among other things, mandating that data controllers inform data subjects about when it is being used, and its logic and ramifications. Nevertheless, due to the phrasing of the articles and the numerous exceptions they allow, doubts have arisen about their effectiveness. In this paper, we empirically evaluate the quality and effectiveness of AI disclosures as mandated by the GDPR. By means of an online survey ( N  = 835), we investigated how data subjects expect to be informed about the automated processing of their data. We then conducted a content analysis of the AI disclosures of N  = 100 companies and organizations. The combined findings reveal that current GDPR-mandated disclosures do not meet the expectations and needs of data subjects. Explanations drawn up following the guidelines of the generic formulations of the GDPR differ widely and are often vague, incomplete and lack transparency. In our conclusions we identify a path towards standardizing and optimizing AI information notices.
ISSN:0951-5666
1435-5655
DOI:10.1007/s00146-022-01424-z