The Law for a Digital Republic of October 7, 2016 was the first to establish the principle of regulation on public sector algorithms. Then, the General Data Protection Regulation(GDPR) was put in place to protect personal data. It provides that the data controller must inform the data subject of the existence of automated decision-making, including profiling. These various applications are intended to ensure that the individual can always understand how AI works.
The law for a Digital Republic
Promulgated on October 7, 2016, it was the first to establish the principle of transparency on public sector algorithms, in this case, concerning administrations only (Article 4): requirement for administrations regarding algorithmic processing used to make individual decisions.
Art. L. 311-3-1. - Subject to the application of the second paragraph of article L. 311-5, an individual decision taken on the basis of algorithmic processing shall include an explicit statement informing the person concerned. The rules defining this processing as well as the main characteristics of its implementation are communicated by the administration to the person concerned if he or she so requests. "The conditions for the application of this article are set by decree in the Council of State."
The aforementioned decree provides that:
"Art. R. 311-3-1-1 - The explicit mention provided for in article L. 311-3-1 indicates the purpose of the algorithmic processing. It recalls the right, guaranteed by this article, to obtain communication of the rules defining this processing and the main characteristics of its implementation, as well as the procedures for exercising this right to communication and referral, if necessary, to the commission for access to administrative documents, defined by this book."
"Art. R. 311-3-1-2.-The administration shall communicate to the person who is the subject of an individual decision taken on the basis of algorithmic processing, at the request of the latter, in an intelligible form and subject to not infringing on secrets protected by law, the following information:
" 1° The degree and manner in which the algorithmic processing contributes to the decision-making ;
" 2° The data processed and their sources ;
"3° The processing parameters and, if applicable, their weighting, applied to the situation of the person concerned
" 4° The operations performed by the processing;"."
These provisions only concern administrations, but they are already a source of inspiration for the CNIL and some AI players. The general principles laid down by the Lemaire law could be taken up in the framework of a national legislation concerning this time the algorithms of the private sector.
The General Data Protection Regulation (GDPR)
Automation at the heart of the issues
The Regulation, in Article 13-2-f, provides that the controller must inform the data subject of " the existence of automated decision-makingand, at least in such cases, relevant information concerning the underlying logic and the significance and intended consequences of such processing for the data subject.
Article 13: Information to be provided when personal data are collected from the data subject
Where personal data relating to a data subject are collected from that person, the controller shall provide him or her with all the following information at the time the data are obtained
(a) the identity and contact details of the controller and, where applicable, the controller's representative
b) if applicable, the contact details of the data protection officer;
(c) the purposes of the processing for which the personal data are intended and the legal basis for the processing; 4.5.2016 L 119/40 Official Journal of the European Union EN
(d) where the processing is based on Article 6(1)(f), the legitimate interests pursued by the controller or by a third party;
e) the recipients or categories of recipients of the personal data, if any and, where applicable, the fact that the controller intends to transfer personal data to a third country or to an international organization, and the existence or absence of an adequacy decision issued by the Commission or, in the case of transfers referred to in Article 46 or 47 or in the second subparagraph of Article 49(1), the reference to the appropriate or adequate safeguards and the means of obtaining a copy of them or the place where they have been made available
Fair and transparent treatment
In addition to the information referred to in paragraph 1, the controller shall provide the data subject, at the time the personal data are obtained, with the following additional information necessary to ensure fair and transparent processing:
(a) the length of time the personal data will be retained or, where this is not possible, the criteria used to determine that length of time;
(b) the existence of the right to request from the controller access to personal data, rectification or erasure of personal data, or a restriction on the processing relating to the data subject, or the right to object to the processing and the right to data portability (c) where the processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the right to withdraw consent at any time, without prejudice to the lawfulness of the processing based on consent carried out prior to the withdrawal thereof;
d) the right to lodge a complaint with a supervisory authority;
(e) information on whether the requirement to provide personal data is statutory, contractual or conditional on the conclusion of a contract and whether the data subject is obliged to provide the personal data, as well as on the possible consequences of not providing the data
(f) the existence of automated decision-making, including profiling, as referred to in Article 22(1) and (4), and, at least in such cases, relevant information about the underlying logic and the significance and intended consequences of such processing for the data subject.
These principles only concern algorithms used for profiling individuals. We will discuss the chronology of measures to legislate around AI in a future article.
