In a judgment issued last week, the European Court of Justice invalidated the EU-U.S. Privacy Shield Program by which businesses in the United States could self-certify their compliance with a framework of principles for data protection. This judgment is the top privacy story for multinational companies this year. What does this mean for artificial intelligence companies? For AI companies using personal data to train machine learning systems, the answer is that it just got harder to import personal data from the European Union (EU) and broader European Economic Area (EEA) to the United States.
The background is that some U.S. businesses in the artificial intelligence field are importing personal data from European countries to train machine learning systems with a myriad of applications. Companies with a physical presence in the EEA, companies directing marketing efforts to EEA member states, and companies monitoring the behavior of individuals present in EEA member states are subject to the European Union’s General Data Protection Regulation. For more details, see my earlier blog post. In addition, other U.S. businesses may provide services to another U.S. business that has already imported personal data from EEA countries. Such U.S. businesses must then agree by contract to protect personal data from those countries with the same level of protection they would receive under GDPR in the EEA. Therefore, some AI companies are required, directly or indirectly, to meet GDPR standards.
GDPR allows for the free flow of personal data from EEA countries to countries that the European Commission has found to have an adequate level of data protection. So if the laws in those countries are stringent enough, then there is no barrier to exporting personal data to those countries from the EEA. And by “export,” I mean that a company in an EEA member state could, for instance, send the personal data to a vendor in one of those countries. As one example, a cloud storage provider in Canada could receive personal data from EEA companies without any GDPR-imposed restrictions. The laws in Canada are stringent enough to protect personal data. Other countries with such adequacy decisions include Argentina, Israel, Japan, Switzerland, and New Zealand.