When the European Data Protection Supervisor (EDPS) recommended that the artificial intelligence (AI) act shouldn’t allow AI systems to recognize human features in public places, and this was reflected in the final version of the law, it was a victory for EDPS Director Leonardo Cervera.
Before its decision last summer, the proposal seemed to allow remote biometric identification and facial recognition.
“We said no, no, no,” Cervera told PYMNTS. “It was an example of a red line where we said, no, we will not allow this to happen. I’m sure that this [opinion] will have a big influence in the final outcome.”
Cervera told PYMNTS that despite not being able to issue binding opinions to other EU institutions, EDPS’s authority on data protection is respected and followed.
The EDPS is an independent authority comprised of 120 public officials in the European Union. It is responsible for ensuring European institutions respect the right to privacy and protect data when they process personal information.
That decision to prohibit public facing AI was made jointly with the European Data Protection Board (EDPB). Its mission is to ensure compliance with the General Data Protection Regulation and promote cooperation among the European Union’s data protection regulators.
Enforcing Data Protection Rules
As part of its daily tasks, the EDPS acts as a traditional data protection authority. It investigates and, if necessary, conducts investigations on complaints.
“This is, let’s say, the less sexy part of our job,” Cervera said. “The most interesting part comes from the fact that the law requires that the EDPS is consulted on any proposal or any possible matter that has data protection implications.”
Advisory Opinions That Matter
While Cervera acknowledged that the EDPS decisions are advisory and not binding, he said they have sway with members of the Parliament and the European Commission, the EU’s politically independent executive arm.
Recommendations by the EDPS often impact the outcome of negotiations between the Parliament and European Commission over data security matters, he said.
“The EDPS’ role is to recommend policy and we are mandated to follow new technologies very closely,” he said. “The idea is to anticipate the impact of new technologies on data privacy.”
When the European Commission considers issuing a proposal, they routinely seek advice from the EDPS, he said. It’s a helpful approach that works, Cervera added, because it allows commissioners to anticipate possible problems that might arise over data protection.
“Most of the time, we are very constructive, and we support what the commission does, because we see ourselves as a loyal partner to the other institutions in the legislative process,” said Cervera. “But when things get ugly from the data protection viewpoint, we do not hesitate to have strong opinions.”
The Future of PSD3
One of the issues facing the EDPS is a revised Payment Services Directive (PSD). Its objective is to recommend ways to drive competition in the payments market. PSD2 was agreed upon in 2015 but technology has advanced significantly, and the legal text may not be good enough for the next challenges.
Today, Cervera said, discussions are underway over PSD3, the next iteration. The objectives of a new version will remain consistent with PSD2.
One priority Cervera will have this time, he said, is to focus more on data protection. Not only because regulators can achieve the goal of having more data protection, but it is a principle of data protection by design, he added.
“The European Commission is obliged to consult us, and we will issue an opinion,” he said. “If you take data protection into consideration at the beginning of whatever you’re doing, then you will not have problems afterwards.”
He said the biggest mistake regulators make is to ignore issues until a payment scheme or service is operating and complaints arise.
“It’s extremely expensive to fix all these issues at that point,” he said. “But if they are taken seriously from the beginning, there are good technical solutions to avoid these problems.”
Improving Privacy Protection in Payments Services
In December, EDPS issued a TechDispatch which explored how payments networks have data that describes a consumer’s life in detail.
While the retention of credit card data, for example, has led law enforcement officers to suspects of tax evasion, money laundering and international crime rings, this data contains details of the private lives of most citizens as they extend their use of digital payments. Leaked by accident or by cyberthieves presents a general risk of mass surveillance and unintended use, the report said.
“We have identified some issues where there is room for improvement,” Cervera said. “Not that the situation is terrible or out of the control, but when you look at it from a data protection viewpoint, there is the possibility for improvement.”