Artificial intelligence has POPIA implications


Rapid evolution in artificial intelligence (AI) applications, as well as improvements in computing power and the increasing availability of data, have led to significant growth in AI across most industries. The key developments in AI over the past few years have been driven by machine learning which, in turn, is fuelled by data. As more and more data is being gathered, so AI enables more sophisticated analysis of large data volumes. As the importance of data rises, so do the associated legal issues.

In some cases, businesses are free to use the data they hold for whatever purpose they want, including developing AI algorithms. However, there are many instances where they are not free to use the data. For example, if personal data is used to develop, train or test AI algorithms, that processing will need to be fair and lawful and comply with data protection laws. In addition, if the data relates to a third party, it might be confidential or provided under a limited licence. Also, if third parties will have access to the data, that may complicate the data protection and confidentiality issues.

It is of the utmost importance that AI is used responsibly. On a global scale, an important step to strengthen trust in AI has been the development of principles for the responsible development and deployment of AI, including accountability and transparency. One important aspect of ensuring responsible deployment of AI is legal and regulatory compliance.

From a compliance perspective, businesses in South Africa will firstly need to ensure their AI system is compliant with the Protection of Personal Information Act, 2013 (POPIA). Almost all of the remaining provisions of POPIA came into effect on 1 July 2020. Various aspects of POPIA must be considered when creating an AI system.

Of key importance for AI systems, given their inherent problem-solving ability, is section 71(1) of POPIA, which governs automated decision-making. This section protects data subjects from being subjected to a decision which is based solely on automated decision-making, which results in legal consequences for the data subject and the data subject being profiled.

For instance, an AI system would have the ability to profile customers seeking a bank loan, and determine their creditworthiness based on previous loan repayments, income, indebtedness, etc. Section 71(1) prohibits the bank from making a decision to grant or reject the loan application based solely on the profile created by the AI system. In this particular example, however, the bank, which is receiving the customer’s loan application, would need to determine whether it can rely on one of the exceptions to the prohibition on automated decision-making, which are set out in section 71(2) of POPIA.

Businesses implementing an AI system should also be mindful of section 57(1)(a) of POPIA, which requires a responsible party to obtain prior authorisation from the Information Regulator if it intends to process any unique identifiers of data subjects (i) for another purpose than intended at collection, and (ii) with the aim of linking the information with information processed by other responsible parties. In this instance, “unique identifier” can be any identifier that uniquely identifies a data subject in relation to the responsible party such as, for example, an identity number or employee number.

Section 57(1) will be relevant when, for example, an AI system deployed by Business A intends to combine the identity number of an employee with data collected by Business B to determine whether the employee is more susceptible to a certain work-related risk based on his or her age. In this instance, Business A would have to approach the Information Regulator before it could utilise the AI system. The responsible party must consider not only what information will be processed by the AI system, but also how the AI system will use it, to ensure that all data protection compliance requirements have been met.

In many instances, AI systems learn and become more intuitive by acquiring vast quantities of data. However, as mentioned above, organisations must proceed with caution when the data inadvertently contains personal information. Before feeding the data into the system, the organisation should consider whether the information can be input in de-identified form, which would exclude it from the application of POPIA. If the information cannot be de-identified, it would be incumbent on the responsible party to ensure that data subjects are aware that their personal information is being used to test an AI system. If the data subjects originally provided their personal information to the organisation for the purposes of procuring a product or service, for example, then the use of the personal information for AI testing must be compatible with that purpose. If not, before the organisation can use the data subjects’ personal information for AI testing purposes, it would need to obtain their consent.

While the deployment of AI systems creates great opportunities for organisations, it is important for them to understand the laws that apply to the data being input into the system to ensure that use of data in the AI system is not in breach of any laws.