When people interact with artificial intelligence systems, their personal data (full names, addresses, contact information, etc.), including biometric data, may be collected and processed. Such processing using AI algorithms can lead to its exposure, leaks or unlawful use.
There have been known instances of unlawful biometric use. In 2020 in the US state of Illinois, the American Civil Liberties Union filed suit against facial recognition company Clearview AI, under the Illinois Biometric Information Privacy Act. Below, we present a brief summary of this case:
- Clearview AI, Inc. used facial recognition technology to gather over 3 billion photos from publicly available Internet images, creating a database.
- The facial recognition database became available for purchase.
- The court approved a settlement prohibiting the company from selling access to its database to most enterprises and private organizations across the US.
This case serves as a prime example of how the law values the importance of safeguarding personal data from potential leaks and illegal processing. It emphasizes the necessity of obtaining consent for the use of personal data when employing AI systems.
According to the legislation of many countries, including Kazakhstan, biometric data is considered personal data and cannot be collected or processed without the data subject’s explicit consent.
The EU, through its General Data Protection Regulation, is already a global leader in establishing best practices for handling personal data, and its proposed EU AI Act already establishes an approach to protect AI systems’ use of personal data by prohibiting or restricting:
- The categorization of people based on biometric data or predicting behavior using profiling.
- The use by law enforcement agencies of AI for individual risk assessments or predicting criminal behavior based on profiles or past actions.
Current legislation in Kazakhstan regarding personal data protection can be applied to AI users, for instance, concerning the need to obtain a subject’s consent to use their personal data in an AI system.
In our opinion, it is additionally necessary for Kazakhstan to develop appropriate regulations, including rules for AI system developers/owners to ensure the ethical and legal use of personal data within AI operations.
In our next article, we will address issues of liability for harm caused by AI technologies. Stay tuned for more!
D +7 727 258 2380
Senior Associate, Almaty
D +7 727 258 2380