Data protection issues arising in connection with the use of Artificial Intelligence

May 20, 2022

Source: European Data Protection Board

Background information

Date of final decision: 8 February 2022

Cross-border case or national case: National case

Controller: Budapest Bank Zrt.

Legal Reference: Lawfulness of Processing (Article 5(1)(a), Article 6(1), Article 6(4)), Purpose Limitation (Article 5(1)(b)) Transparency (Article 12(1), Article 13), Right to Object (Article 21(1), Article 21(2)), Appropriate Measures (Article 24(1)), Data protection by design and by default (Article 25(1), Article 25(2)

Decision: Infringement of Articles 5(1)(a), 6(1), 6(4), 5(1)(b), 12(1), 13, 21(1), 21(2), 24(1), 25(1), and 25(2) of the GDPR, Order to comply with the above Articles, Imposing administrative fine in connection with the above infringements

Key words: artificial intelligence, new technologies, analysis of phone audio recording, analysis of emotions, bank, legitimate interest assessment, transparent information, right to object, privacy by design and by default, administrative fine

 

Summary of the Decision

Origin of the case  

In another procedure, the Hungarian SA became aware of the fact that the data controller performs automated analysis on the customer service phone calls. Due to the fact that this data processing was not clearly specified in the information provided to data subjects, the Hungarian SA started an ex officio investigation against the data controller in 2021 to review the general data processing practice of data controller regarding the automated analysis.

Key Findings

The data controller records all customer service phone calls. Each night, a software automatically analyses all new audio recordings. The software uses artificial intelligence to find keywords, and guesses the emotional state of the client at the time of the call. The result of the analysis is stored connected to the phone call within the system of the software for 45 days, along with the voice call. The result of the analysis is a list of persons sorted by the likelihood of dissatisfaction, anger based on the audio recording of the customer service phone call. Based on the result of the analysis, designated employees mark clients to be called by customer service trying to assess their reasons for dissatisfaction. No information on this particular data processing was provided to data subjects and no right of objection is technically possible, and the data processing was planned and carried on aware of this.

The impact assessment of the data controller also confirmed that the reviewed data processing uses artificial intelligence and causes high risk to the fundamental rights of data subjects. Neither the impact assessment, nor the legitimate interest assessment provided any actual risk mitigation, and the measures only on paper (information, right of objection) were insufficient and non-existent. Artificial intelligence is by nature difficult to deploy in a transparent and safe manner, additional safeguards are necessary. Due to its internal working, it is difficult to confirm the results of personal data processing by artificial intelligence, and it may be biased.

Decision

The Hungarian SA determined the serious infringement of numerous articles of the GDPR for a long period, ordered the data controller to stop processing emotional state of the clients, only continue the data processing if made compliant with the GDPR, and issued an administrative fine in HUF equal to approximately EUR 650,000.

For further information: https://www.naih.hu/hatarozatok-vegzesek?download=517:mesterseges-intelligencia-alkalmazasanak-adatvedelmi-kerdesei

Recent news

September plenary – adopted documents

During its September plenary, the EDPB adopted: Opinion 25/2022 regarding the European Privacy Seal (EuroPriSe ) certification criteria for the certification of processing operations by processors 19 September 2022 Publication Type: Opinion of the Board (Art. 64)...

read more

New EDPB opinion on certification criteria

During its latest plenary, the EDPB adopted its opinion on the EuroPrise certification scheme submitted to the Board by the German DPA of North Rhine Westphalia. This is the second EDPB consistency opinion on criteria for a nationwide certification scheme. The...

read more

Record fine for Instagram following EDPB intervention

Brussels, 15 September - Following the EDPB’s binding dispute resolution decision of July 28th, the Irish Data Protection Authority (DPA) has adopted its decision regarding Instagram (Meta Platforms Ireland Limited (Meta IE)) and has issued a record GDPR fine. The...

read more
Generated by Feedzy