Challenges: Regulation of Personal Data Protection in AI Platforms

This article was published by Revista Industria Legal. 

Artificial Intelligence (AI) is one of the most significant technological advances of our time. Like all innovations, it has raised regulatory dilemmas that had not been considered before. One of the main challenges that arise with the proliferation of AI among citizens with internet access is the protection of personal data processed through these technologies.

In Mexico, the Constitution recognizes the Fundamental Right to the protection of personal data and establishes the creation of an authority to guarantee this right, the National Institute of Transparency, Access to Information, and Protection of Personal Data (INAI). However, one of the current challenges faced by the INAI in the exercise of its functions lies in creating robust regulations that can adapt to a constantly evolving reality. In the context of Mexico, the processing of personal data in the use of AI is not clearly defined in applicable legislation.

To establish criteria aimed at the proper protection of personal data processed through AI platforms, and considering the challenges and opportunities inherent in these technologies, the INAI has issued the Recommendations for the Processing of Personal Data Derived from the Use of Artificial Intelligence (“Recommendations”).

These Recommendations are aimed at developers and users of AI platforms with the purpose of promoting ethics and responsible use of them, as well as facilitating compliance with the duty of security of personal data. The recommendations complement the regulatory efforts undertaken by Mexico by adhering to UNESCO’s “Recommendation on the Ethics of Artificial Intelligence.”

The Recommendations underline the importance of personal data in the functioning of AI systems, as they are used to create profiles and perform tasks such as geolocation, face detection, and audio processing. Despite INAI’s valuable contribution, there is still a need for legislation on this matter to address the following challenges:

• Specific informed consent: Users of AI platforms often are unaware of how their personal data are processed in detail (compared to the general processing carried out by traditional data controllers). It is necessary for the implications in the processing of personal data to be adequately explained by the controllers of these platforms and for mechanisms to obtain users’ express consent to be considered.
• Determining responsibilities for breaches: The massive collection and storage of personal data on servers and databases that are not operated directly by humans create uncertainty about who is responsible in case of breaches resulting from AI operations.
• Preventing discrimination: AI platforms function based on the information they are fed. It’s crucial to establish mechanisms to prevent this information from leading to discriminatory actions against users, especially when they share sensitive personal data that could foster such discrimination by AI.
• Facilitating the exercise of rights: If AI platforms and technological advances emerge to improve and facilitate human life, it is essential that all users have easy and agile access to exercise their ARCO rights and other rights established in the data protection legislation. This should allow the AI platforms themselves to receive instructions directly from the users and execute them immediately, complying with the applicable legal norms.

In conclusion, it is important to leverage the institutional steps already taken to address the challenges of personal data protection on AI platforms and continue to improve the regulatory framework, always with the goal of guaranteeing the Fundamental Right of the users of these platforms.