Statutory transparency requirements

Irrespective of whether or not personal data are processed using AI, the GDPR requires transparency and disclosure. In brief, the GDPR requires that:

• Personal data must be processed in an open and transparent manner (see Article 5(1)(a)). This means, for example, that the data controller must ensure the data subject has sufficient information to uphold their own rights.
• The data subject must be informed about how their personal data is being used, whether they have been obtained from the data subject themselves or from one or more third parties (see Article 13 and Article 14).
• If the data subject has supplied the data, such information must be provided in writing before or at the same time as the data are collected (see Article 13). If the data have been obtained from other sources, the data controller must notify the data subject within a reasonable period of time that the data in question have been collected (see Article 14).
• This information must be written in an understandable fashion, using clear and simple language (see Article 12). It must also be easily accessible to the data subject.
• The data subject is entitled to be told that their personal data is being processed and to inspect the data concerned (see Article 15).

A comprehensive guide may be found in WP29's/EDPB's guidelines on Transparency.

Transparency requirements relating to the development and use of artificial intelligence (AI)

The use of artificial intelligence (AI) is normally divided into three main phases:

1. Development of the algorithm
2. Application of the algorithm
3. Continuous machine learning and improvement of the algorithm

The GDPR's transparency requirements are general and are essentially the same for all the phases. However, there are some requirements that are relevant only in certain phases. For example, the requirement to provide information on the algorithm’s underlying logic is, as a rule, only relevant in the application phase.

In the following, we presume that in all three phases data is processed lawfully in accordance with Article 6 of the GDPR. Read more about the legal basis for data processing. We will examine in more detail the duty to provide information in the various phases.

Transparency requirements in the development phase

Articles 13 and 14 of the GDPR require undertakings to give notice when personal data are used in connection with the development of algorithms. Article 13 applies to data obtained directly from the data subject, for example by means of questionnaires or electronic tracking. Article 14 regulates situations where data are obtained from other sources or have already been collected, e.g. from one or more third parties or publicly available data.

When the data have been obtained directly from the data subject and are to be processed in connection with the development of AI systems, Article 13 requires the data controller to disclose the following:

• The types of personal data to be processed
• The purpose for which the algorithm is being developed
• What will happen to the data once the development phase has finished
• Where the data have been obtained from
• The extent to which the AI model processes personal data and whether anonymisation measures have been implemented

In principle, the data subject will have specific rights in connection with all processing of their personal data. The most relevant right is the right to request access to and the deletion and correction of their data, and, in some cases, also to object to their processing. Large quantities of personal data are often used in the development and training of AI. It is therefore important that both the solution's development and training are assessed specifically in relation to the regulatory framework.

On the whole, the same duties set out in Article 14 apply to data that have already been collected and used for a different purpose than the development of AI systems, such as information the undertaking has recorded on its customers or users.

However, Article 14(5) contains an exemption which may be relevant for the development of AI systems. Due to the vast quantities of data that are often required for the development of AI systems, notifying all the data subjects concerned can be a resource-intensive process. For example, in research projects involving the use of register data from hundreds of thousands of people, it may be difficult to notify each person individually. It follows from Article 14(5) that an exemption may be made if the data subject already has the information, the provision of this information proves impossible or would involve a disproportionate effort, the collection or disclosure is expressly permitted under EU law or the member states’ national legislation, or if the personal data must remain confidential under a duty of professional secrecy.

What constitutes a disproportionate effort will always rest on discretionary judgement and an overarching assessment of the specific circumstances. The Norwegian Data Protection Authority recommends that a minimum of information be provided in all cases, so the individual data subject knows in advance whether their personal data are being used for the development of AI. This may be ensured by means of the publication of general information concerning the data processing, e.g. on the undertaking's website. The information must be accessible to data subjects before further data processing commences.

Transparency requirements in the application phase

In the application phase, disclosure requirements will depend on whether the AI model is used for decision-support or to produce automated decisions.

For automated decisions which have a legal effect or significantly affect a person, specific disclosure requirements apply. If processing can be categorised as automated decision-making pursuant to Article 22, there are additional requirements for transparency. (See also Article 13(2)(f) and Article 14(2)(g).) The data subject is entitled to:

• Information that they are the subject of an automated decision.
• Information about their right not to be the subject of an automated decision pursuant to Article 22.
• Meaningful information about the AI system's underlying logic.
• The significance and expected consequences of being subject to an automated decision.

Although the provision of such supplementary information to the data subject is not expressly required when the AI system is being used as a decision-support tool, the Norwegian Data Protection Authority recommends that it be provided in such cases. This is particularly true where “meaningful information about the AI system’s underlying logic” can help the data subject to better uphold their rights.

A meaningful explanation will depend not only on technical and legal requirements, but also on linguistic and design-related considerations. An assessment must also be made of the target group for the explanation concerned. This could result in different wording for professional users (such as the NAV advisers and teachers referred to in the following examples) and more sporadic users (consumers, children, elderly people).

These EU guidelines provide advice on what a meaningful explanation of the logic could contain.

The data controller must assess how detailed to make the explanation of how the algorithm works, while ensuring that the information is clear and understandable for the data subjects. This may be achieved by including information about:

• The categories of data that have been or will be used in the profiling or decision-making process.
• Why these categories are considered relevant.
• How a profile used in the automated decision-making process is constructed, including any statistics used in the analysis.
• Why this profile is relevant for the automated decision-making process.
• How it is used to make a decision that concerns the data subject.

It may also be useful to consider visualisation and interactive techniques to assist with algorithmic transparency.

Public sector undertakings may be subject to other requirements relating to the provision of information concerning the reasons for automated decisions, e.g. the Norwegian Public Information Act or sector-related legislation.

In those cases where the data subject is entitled to object under Article 21, they must be made explicitly aware of their right to object pursuant to Article 21(4). The data controller is responsible for ensuring that this information is provided clearly and separately from other information, and that it is easily accessible – both physically and in the way it is framed. While it is natural to include such information in a privacy policy, this alone would probably not be sufficient to fulfil this requirement. The data subject should, in addition, be notified of their right to object in the interface where the processing of their data is initiated. In the event of an application portal, for example, the information should be clearly visible on the website or in the app into which the personal data is entered.

In connection with the use of personal data collected in the application phase for continuous machine learning, the requirement to provide information will largely coincide with the requirements in the development phase.