When the European Data Protection Supervisor (EDPS) recommended that the Artificial Intelligence (AI) Act should not allow AI systems to recognize human characteristics in public places, and this was reflected in the final version of the law, it was a victory for the EDPS Director Leonardo Cervera.
Prior to its decision last summer, the proposal appeared to allow for remote biometric identification and facial recognition.
“We said no, no, no,” Cervera told PYMNTS. “It was an example of a red line where we said, no, we won’t allow that to happen. I’m sure that [opinion] will have a big influence on the final result.
Cervera told PYMNTS that although she is unable to issue binding advice to other EU institutions, the authority of the EDPS on data protection is respected and followed.
The EDPS is an independent authority made up of 120 public officials from the European Union. It is responsible for ensuring that the European institutions respect the right to privacy and protect data when processing personal information.
This decision to ban the public from facing AI was taken in conjunction with the European Data Protection Board (EDPB). Its mission is to ensure compliance with the General Data Protection Regulation and to promote cooperation between data protection regulators in the European Union.
Application of data protection rules
In his day-to-day tasks, the EDPS acts as a traditional data protection authority. It investigates and, if necessary, investigates complaints.
“It’s, let’s say, the least sexy part of our job,” Cervera said. “The most interesting part comes from the fact that the law requires that the EDPS be consulted on any proposal or any possible question having data protection implications.”
Advisory opinions that matter
While Cervera acknowledged that EDPS decisions are advisory and not binding, he said they have influence on members of Parliament and the European Commission, the politically independent executive arm of the EU.
The EDPS’ recommendations often have an impact on the outcome of negotiations between the Parliament and the European Commission on data security issues, he said.
“The role of the EDPS is to recommend policy and we are mandated to follow new technologies very closely,” he said. “The idea is to anticipate the impact of new technologies on data privacy.”
When the European Commission plans to publish a proposal, it systematically asks for the opinion of the EDPS, he said. It’s a useful approach that works, Cervera added, because it allows commissioners to anticipate potential data protection issues that may arise.
“Most of the time we are very constructive and supportive of what the committee is doing because we see ourselves as a loyal partner to the other institutions in the legislative process,” Cervera said. “But when things are going badly from a data protection point of view, we don’t hesitate to have strong opinions.”
The future of PSD3
One of the issues facing the EDPS is a revised Payment Services Directive (PSD). Its purpose is to recommend ways to stimulate competition in the payments market. PSD2 was agreed in 2015, but the technology has advanced considerably and the legal text might not be good enough for the next challenges.
Today, Cervera said, discussions are underway on PSD3, the next iteration. The objectives of a new version will remain consistent with PSD2.
One of Cervera’s priorities this time around, he said, is to focus more on data protection. Not only because regulators can achieve the goal of having more data protection, but it is a principle of data protection by design, he added.
“The European Commission is obliged to consult us, and we will issue an opinion,” he said. “If you consider data protection at the beginning of what you do, you will have no problems later.”
He said the biggest mistake regulators make is ignoring problems until a payment system or service is working and complaints arise.
“It’s extremely expensive to fix all of these issues at this point,” he said. “But if they are taken seriously from the start, there are good technical solutions to avoid these problems.”
Improving privacy protection in payment services
In December, the EDPS published a TechDispatch that explored how payment networks have data detailing a consumer’s life.
While the retention of credit card data, for example, has led law enforcement officials to be suspected of tax evasion, money laundering and international criminal networks, this data contains details of the privacy of most citizens as they expand their use of digital payments. Leaks accidentally or by cyberthieves present a general risk of mass surveillance and unintended use, according to the report.
“We have identified some issues where there is room for improvement,” Cervera said. “Not that the situation is terrible or out of control, but when you look at it from a data protection perspective, there is room for improvement.”