Skip to main content

What information needs to provided when personal information will be processed by Artifical Intelligence?

|

If an entity collecting data is not fully transparent about the information that is being collected and how it will be processed and I particular when it is collected by bots or processed by Artificial Intelligence then a data subject is unable to provide the required informed consent

The Israeli Privacy Protection Authority (the “PPA”) recently published a position paper with regard to informed consent and in particular informed consent when using automation.

If an entity collecting data is not fully transparent about the information that is being collected and how it will be processed and stored then a data subject is unable to provide the informed consent mandated by Section 3 of the Israeli Privacy Protection Law (the “Law”).

In a recent position paper published by the PPA it presented its interpretation of Section 11 of the Protection of Privacy Law, which says that if an entity is collecting personal data from an individual that will be stored in a database it is obligated to provide that person with advance notice which contains sufficient information to enable the person to provide informed consent.

There are specific guidelines as to what should appear in this notice, including for what purposes the personal data is being collected, to whom the personal data will be provided and, if there is a legal obligation to provide the information. This notice must be written in clear, simple and accessible language and it is recommended that it include details regarding the manner in which the information is stored (such as the identity of those authorized to access the information), and regarding the rights of the data subject.

Insofar as the notice is addressed to a distinct public in a certain sense (such as age, country of origin or disability), it is important that the language of notice be adapted, as far as possible, as this can also affect the validity of informed consent. The PPA notes that to the extent that the information collected is particularly sensitive (such as biometric information), and in circumstances where there is an inherent concern that the consent of the data subject may be limited, it is advisable that the duty to inform be even broader than set forth in Section 11 of the Law.

For the first time, the PPA also specifically addresses the matter of notification where personal data will be collected and/or processed by algorithm-based decision making systems or artificial intelligence, and notes:

  • When the collection of information is carried out through automated systems (such as “bots”), it is necessary to ensure that data subject be presented with all the required information in accordance with the provisions of Section 11 of the Law.
  • When the processing of information is conducted using automated systems - the notification procedure must specify how the said systems work, insofar as it is relevant to the formulation of the consent and to the extent that this detail is legally possible, technologically, and commercially.
  • It is recommended that the subject of information be explained about the details of the information that the systems may use as part of the use of the information relating to it, and the source of these details.

The PPA clarifies that the collection and use of information from a person without sufficient knowledge of the subject of the information affects the validity of the informed consent, and may constitute a violation of the provisions of the Protection of Privacy Law.

Now we wait to see how the market and Israeli courts implement (if any) the PPA's recommendations.

 

Article provided by INPLP member: Beverley Zabow (BL&Z Law Offices & Notaries, Israel)

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

VIEW STREAM

About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.

{$page.footerData}