Data protection issues arising in connection with the use of Artificial Intelligence

May 20, 2022

Source: European Data Protection Board

Background information

Date of final decision: 8 February 2022

Cross-border case or national case: National case

Controller: Budapest Bank Zrt.

Legal Reference: Lawfulness of Processing (Article 5(1)(a), Article 6(1), Article 6(4)), Purpose Limitation (Article 5(1)(b)) Transparency (Article 12(1), Article 13), Right to Object (Article 21(1), Article 21(2)), Appropriate Measures (Article 24(1)), Data protection by design and by default (Article 25(1), Article 25(2)

Decision: Infringement of Articles 5(1)(a), 6(1), 6(4), 5(1)(b), 12(1), 13, 21(1), 21(2), 24(1), 25(1), and 25(2) of the GDPR, Order to comply with the above Articles, Imposing administrative fine in connection with the above infringements

Key words: artificial intelligence, new technologies, analysis of phone audio recording, analysis of emotions, bank, legitimate interest assessment, transparent information, right to object, privacy by design and by default, administrative fine

 

Summary of the Decision

Origin of the case  

In another procedure, the Hungarian SA became aware of the fact that the data controller performs automated analysis on the customer service phone calls. Due to the fact that this data processing was not clearly specified in the information provided to data subjects, the Hungarian SA started an ex officio investigation against the data controller in 2021 to review the general data processing practice of data controller regarding the automated analysis.

Key Findings

The data controller records all customer service phone calls. Each night, a software automatically analyses all new audio recordings. The software uses artificial intelligence to find keywords, and guesses the emotional state of the client at the time of the call. The result of the analysis is stored connected to the phone call within the system of the software for 45 days, along with the voice call. The result of the analysis is a list of persons sorted by the likelihood of dissatisfaction, anger based on the audio recording of the customer service phone call. Based on the result of the analysis, designated employees mark clients to be called by customer service trying to assess their reasons for dissatisfaction. No information on this particular data processing was provided to data subjects and no right of objection is technically possible, and the data processing was planned and carried on aware of this.

The impact assessment of the data controller also confirmed that the reviewed data processing uses artificial intelligence and causes high risk to the fundamental rights of data subjects. Neither the impact assessment, nor the legitimate interest assessment provided any actual risk mitigation, and the measures only on paper (information, right of objection) were insufficient and non-existent. Artificial intelligence is by nature difficult to deploy in a transparent and safe manner, additional safeguards are necessary. Due to its internal working, it is difficult to confirm the results of personal data processing by artificial intelligence, and it may be biased.

Decision

The Hungarian SA determined the serious infringement of numerous articles of the GDPR for a long period, ordered the data controller to stop processing emotional state of the clients, only continue the data processing if made compliant with the GDPR, and issued an administrative fine in HUF equal to approximately EUR 650,000.

For further information: https://www.naih.hu/hatarozatok-vegzesek?download=517:mesterseges-intelligencia-alkalmazasanak-adatvedelmi-kerdesei

Recent news

June Plenary – adopted documents

During its June plenary, the EDPB adopted:  Guidelines on certification as a tool for transfers EDPB response to EDRi regarding the structural and procedural enforcement of the GDPR and its work to promote and safeguard data protection EDPB response to the European...

read more

May Plenaries – adopted documents

During its May 2nd plenary, the EDPB adopted: EDPB-EDPS Joint Opinion on the proposed Data Act During its May 12th plenary, the EDPB adopted: Guidelines on the calculation of administrative fines Guidelines on the use of facial recognition technology in the area of...

read more