Objective of the sandbox process
Before Simplifai was admitted into the Data Protection Authority’s sandbox, the company had participated in a StartOff project with the National Archives Services of Norway, led by the Norwegian Agency for Public and Financial Management (DFØ).
The goal of this project was to explore how artificial intelligence could be used to automate or support e-mail record-keeping and archiving. DAM was developed in this project.
The main focus of the StartOff project was to strike a good balance between data protection considerations and the desire to find effective ways to meet requirements under the Freedom of Information Act and Archive Act. During the project, it became clear that the potential legal hurdles associated with the use of artificial intelligence in e-mail processing did not so much come from archive requirements, but rather from the Personal Data Act and the Working Environment Act. The project assumed that the legal complexity would be lower when DAM was applied to organizations' centralized e-mail addresses, such as than on personal e-mail addresses. Personal e-mail addresses, such as , were not included in the StartOff project.
Even so, it is only when DAM is applied to personal e-mail addresses that the effect of the service really kicks in, as administrative processing primarily takes place using personal e-mail addresses. At the same time, using this technology on personal e-mail addresses raises some key questions about privacy. This was the background for the application to join the Data Protection Authority’s sandbox for responsible artificial intelligence.
The sandbox process has had two primary goals:
1. Consider whether the use of DAM is lawful for a public-sector body
Finding out whether the implementation and further development of DAM would be lawful for a public-sector body was a primary concern for Simplifai before launching this solution on the market. The primary goal of lawfulness was divided into three separate issues:
- Explore which legal basis from the General Data Protection Regulation (GDPR) would be relevant for a body implementing the planned solution.
- Explore whether the use of special categories of personal data is permitted under the GDPR.
- Clarify whether the planned solution would be in conflict with the prohibition on monitoring in the E-mail Regulations.
Based on resource considerations, the project decided not to explore the transfer of personal data to countries outside the EEA through cloud computing. The project has based its considerations of lawfulness on Simplifai’s assessment that the company is a data processor. This means the project has not considered whether Simplifai is a data controller or data processor.
2. Give recommendations on data protection by design to public bodies intending to procure a solution that is entirely or partially based on machine learning (artificial intelligence)
As a provider of intelligent archive solutions, Simplifai wants to develop a service that meets both regulatory requirements and other needs public bodies have in terms of data protection and privacy. Intelligent solutions are becoming more and more prevalent in the public sector, and purchasing competence is pivotal in making sure these solutions are implemented in a good way.
In this project, the Data Protection Authority, Simplifai and NVE worked together to develop recommendations for how public bodies can set requirements for solutions based on machine learning in procurement processes, to ensure that the public sector complies with the requirement for data protection by design.