In this project, we learned that the biggest hurdles to establishing a legal basis for the processing of personal data in connection with machine learning arise in the continual learning phase.
If an organization wants to use machine learning to solve the problem of not all relevant documentation being archived and entered into the record in a timely fashion, the sandbox project recommends that new archive legislation be implemented to responsibly regulate this issue.
The participants and the Data Protection Authority have had an opportunity to discuss practical challenges and potential measures to promote data protection by design in connection with procurement of solutions based on machine learning.
By taking a deep dive into the rules for data protection by design, Simplifai has gained a better understanding of the kinds of requirements they may be faced with from potential buyers of DAM. NVE, on the other hand, has gained a better understanding of the responsibilities data controllers have and how it can define requirements for solutions in a procurement process. The Data Protection Authority has learned more about the need for guidance actors have and how it can continue working to provide specific recommendations and examples.
The sandbox project recognizes the need for more actors to come together to build competence in the public sector and prepare practical examples of requirements public-sector bodies can include in competitive tenders for technical solutions. We would like to see templates setting out requirements for data protection by design in digital tools similar to those available for provider qualifications at anskaffelser.no. Such examples in template form could also provide increased predictability for providers.
If the proposal for a European Artificial Intelligence Act is adopted, there will be less need to use contracts to regulate product requirements. This proposal includes requirements for selected products that use machine-learning technology, not just for product users.