Until now, despite countless warnings before entry into force of the EU’s General Data Protection Regulation in May 2018, administrative authorities have not imposed high fines for violation of regulations on processing of personal data. But this situation seems to be changing, at least in France. On 21 January 2019 the French data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), imposed a fine of EUR 50 million on Google LLC. The CNIL found that Google had not processed personal data transparently, providing data subjects inadequate information on processing and personalising ads without the consent of the persons who were shown the ads.
At the end of 2017, we wrote about the possibility of using artificial intelligence in the financial services sector. We pointed out that AI algorithms can be used by the financial industry to automate customer contacts and issue initial credit decisions. The use of algorithms by government bodies seemed to be less important at the time. However, this issue ignited much controversy at the end of 2018 due to a ruling by the Province Administrative Court in Warsaw on the freezing of a bank account under a recently introduced section of the Tax Ordinance, which also introduced the digital clearinghouse STIR into the Polish legal system.
Apart from potentially very high administrative penalties that national data protection authorities may impose on violators of the EU’s General Data Protection Regulation (as has already occurred, for example, in France), under the GDPR any person who has suffered material or non-material damage has the right to obtain compensation from the controller or processor of his personal data for the damage suffered. This is an instrument that has attracted much less attention than administrative sanctions, but it may have very serious financial consequences.
At the end of September the French personal data state processing regulator, the Commission Nationale Informatique & Liberté (CNIL), published a preliminary analysis of the issue of what kind of systems suitable for blockchain might apply to personal data processing. The CNIL has also been looking at the issues that are fundamental from the point of view of the GDPR, for example who the controllers and processors are on a blockchain. The CNIL has proposed a number of specific solutions but realises that it does not have extensive knowledge of this technology. It has said that it is open to proposals from experts and says they are welcome to propose their own solutions.
Newly formed companies, and companies that have been on the market for some time, are becoming increasingly aware of their obligations under AML/FT regulations. Firms in various sectors, such as the technological sector, do not always realise that these obligations are only applicable to the types of entities listed in AML laws. Some businesses employ know your customer (KYC) identification procedures equivalent to those provided for in AML laws even though they are not subject to these laws. The problem is that overzealousness of this kind might be a breach of laws in other areas, especially personal data laws, above all the GDPR.
In a recent article I discussed possible solutions to the question of liability of algorithms for copyright infringement. The solution put forward some time ago by the European Parliament Committee on Legal Affairs is creating the status of electronic persons. This would mean that an algorithm, and not people responsible for the algorithm, would be directly liable for breaking the law.
An alternative, originally proposed in the US and subsequently analysed under Swiss, English, and German law, is use of equivalents of a Polish spółka z ograniczoną odpowiedzialnością (in the US a limited liability company and GmbH in Germany) as a legal vehicle for attributing legal personality to an algorithm. This would be a ‘memberless entity’.