THE POSITIONING OF AI BETWEEN THE RESPECT FOR INDIVIDUAL FREEDOMS AND HEALTH SAFETY : THE EUROPEAN LEGAL FRAMEWORK
The whole world has been taken by storm for several months by a global epidemic : the Covid-19 virus. Spreading at high speed and infecting the population exponentially, this virus has infected 1,430,453 people to date, and is identified as the source of 82,133 deaths.
As the toll continues to grow, government and health authorities have the pressing objective of overcoming the health insecurity facing society.
In order to stem the epidemic, Artificial Intelligence (hereinafter “AI”) is appearing to be a powerful tool in order to meet this urgent need. The latter, defining itself as a “set of theories and techniques implemented with a view to producing machines capable of simulating human intelligence”, sets up artificial neural networks made up of servers making it possible to process heavy calculations within gigantic databases. Indeed, the machine makes it possible, in various fields of application, to provide solutions more quickly than what humans would be capable of.
Faced with the current health emergency, the AI support function has already proven itself for the scientific community :
- This tool demonstrated its effectiveness when the Canadian startup BlueDot launched the alert concerning the epidemic risk of Covid-19 at the end of December 2019, and this before the first official communications from the World Health Organization. The algorithm is able to detect and track the risks of spreading infectious diseases by analyzing thousands of press articles, official reports, and professional forums daily. This program can read in 65 languages and can track more than 150 types of diseases.
- AI provides relief to the medical profession with its virus detection solution. The e-commerce giant in China, Alibaba, offers an AI that diagnoses the virus in just twenty seconds by scanning, compared to the total fifteen minutes done by eye by a human, and all this with an accuracy of up to 96%.
- The algorithm is an aid to the development of treatments. Although still under development, Google’s startup DeepMind has used its AI to publicly communicate the protein structure of the Covid-19 virus to the scientific community.
The supposed excesses of AI beyond European borders…
Some Asian countries are using devices that require the massive collection and processing of citizens’ personal data, as an additional weapon in the fight against the pandemic, the objective being to establish targeted tracing.
In China, the giant Alibaba has created the Alipay Health Code application which, once installed on the smartphone, collects a large amount of personal data to assign a score to the citizen according to his state of health. The data collected determines whether the individual has come into contact with an infected person, visited a risk area, or reported suspicious symptoms. A color code is then assigned and must be presented at the various checkpoints present in the cities of the country : green for a healthy citizen, yellow for a potential house arrest for seven days, and red for quarantine.
In Hong Kong, the authorities impose the wearing of an e-bracelet (bracelet connected to the smartphone), making it possible to geolocate individuals placed in quarantine or showing symptoms. On the Beijing side, the police are using a program that scans the body temperature of travelers in stations using an infrared and facial recognition system. As for South Korea, the country goes so far as to make the personal data of infected people public to the entire population.
Beyond the Asian borders, other countries such as Israel are beginning to adopt similar systems requiring massive processing of personal data.
With regard to the individual freedoms defended by European regulations and national legislation, a large number of European citizens clearly identify this type of device as a drift.
However, it would seem that closer to us on European territory, Poland and Germany have adopted tracking measures such as taking regular photographs, to attest to compliance with quarantine or the voluntary downloading of an application, in association with the wearing of an e-bracelet to record the vital signs of individuals.
So what is the European legal framework ?
Towards building a trusted AI in Europe…
Being aware that AI will contribute considerably to improving health security but that many risks are associated with it, the European Commission is proposing an approach based on an ecosystem of trust thanks to the establishment of a regulatory framework .
Although AI can help ensure the safety of citizens, it can also be a source of legal uncertainty when used for malicious purposes and thus arouses a feeling of mistrust.
The Commission had already addressed the issue beforehand and had formulated, in its Ethical Guidelines for Trustworthy AI of April 8 2019, seven essential requirements expected of an AI :
- Human factor and human control ;
- Technical robustness and safety ;
- Privacy and data governance ;
- Transparency ;
- Diversity, non-discrimination and equity ;
- Societal and environmental well-being and
Today, AI is only subject to non-binding guidelines. The establishment of a specific regulatory framework would thus contribute to reducing the lack of confidence and accelerating the adoption of this technology.
In particular, AI increases the possibilities of monitoring and analyzing the habits of populations. Although AI developers are required to respect fundamental rights, and are subject to European regulations regarding the protection of personal data and respect for privacy, in the minds of certain European citizens, the potential risk of mass surveillance of the population by public authorities is increased.
While in France the use of video surveillance by drones whose role is to patrol to control the frequency of movement of the population in public spaces is already the subject of much debate, some citizens fear a next step image of the means undertaken in the aforementioned countries.
However, it should be remembered that the collection and processing of personal data has a strengthened regulatory framework since the adoption of the “General Data Protection Regulation (commonly known as “GDPR”) , the purpose of which is to give back the governance of their personal data to European citizens, and to guarantee the protection of their privacy. The GDPR has been directly applicable in the Member States of the European Union since May 25, 2018.
At a national level, France has thus modified the provisions of law n°78-17 of January 6, 1978 relating to data processing, files and freedoms (commonly called “Loi Informatique & Libertés”), in accordance with the new regulatory European framework.
In order for the national governments of the Member States to legitimize the use of programs involving the processing of personal data, the latter must comply with the rules and principles formulated by the GDPR, in particular :
- A lawful processing must be based on one of the six legal bases listed in Article 6 of the GDPR, including : consent of the individual, necessity to safeguard their vital interests, necessity for the performance of a mission of interest public or subject to the exercise of public authority.
- The processing must guarantee the principles set out in Article 5 of the GDPR : purpose, transparency, security and confidentiality, retention of data limited to the purpose, proportionality and minimization of data.
It should be specified that under Article 9.1 of the GDPR, arrangements involving the processing of sensitive data, i.e., “data revealing racial or ethnic origin, (…) as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning the sex life or sexual orientation of a natural person”, are in principle prohibited.
The European Data Protection Board recalls, in its statement of March 19, 2020, that processing in the context of a pandemic such as Covid-19 is, by exception of article 9.2 of the GDPR, authorized under certain conditions, and in accordance with national provisions. In this context, it is not necessary to obtain the consent of individuals.
On this occasion, the Committee also provides details on a possible use by national governments of devices collecting data from smartphones to monitor and limit the spread of the virus.
In accordance with the Privacy Directive, such processing requires the consent of the user or the anonymization of his personal data. The Committee therefore calls on governments to favor the anonymization process.
Following this official communication, eight operators announced their intention to transmit the anonymous geolocation data of their customers, to a group of researchers attached to the European Commission, the aim being to generate statistics by mapping the population and to help health services to anticipate needs. The Commission guarantees users the deletion of personal data at the end of the health crisis.
The anonymization of personal data is a guarantee of technical security making it impossible to re-identify the individual. Thus, the data is no longer personal and the privacy of its subject is preserved.
The envisioned tracking in France placed under conditions that preserve freedoms…
The use of tracking was not ruled out by the Prime Minister, Edouard Philippe, during his hearing on April 1, 2020, which envisages digital tracking, not compulsory, but based on a “voluntary commitment” by the user. .
Therefore, the government plans to use digital tracking while preserving the user’s consent and favoring Bluetooth technology, which is less intrusive and more respectful of privacy.
Indeed, Bluetooth allows two phones to communicate without geolocating their owner. This would allow the individual to be alerted if they come across an infected person.
It is possible to question the relevance of the use of tracking reconciled with respect for individual freedoms.
The effectiveness of this technological tool could be fatally compromised since it would be based on the following two points : voluntary downloading of the application and accurate information from the individual about his current state of health.
Thus, it seems difficult to manage to trace the virus, and to quickly obtain reliable results, by adopting a “minimized” use of tracking.
It is here that this device finds its limits. For it to be effective, its capabilities must be fully exploited. This would therefore imply a temporary and supervised restriction of the individual freedoms of French citizens until the end of the health crisis.
Obviously, this option is not unanimous. While the introduction of this application is still under discussion, it is the subject of fierce disputes showing that some will not be ready to make concessions.
The computing and analytical power of AI can prove to be an asset in the fight against health insecurity, in that it is capable of bringing a considerable gain in efficiency and productivity.
The emergency may justify temporary and moderate restrictions on individual freedoms if this is essential to put an end to the health crisis.
AI must remain in all circumstances ethical, sustainable, focused on the human factor, and respectful of individual freedoms.
Since AI does not have a specific regulatory framework to allay society’s fears, its creation is one of the primary concerns of defenders of individual freedoms in the quest for the development of AI in Europe.
For the time being, society must bear in mind that AI is nevertheless governed by the European and French legal systems relating to the protection of personal data and the protection of privacy.
Marie-Laure Denis, the president of the CNIL (national commission for data processing and freedoms), has also spoken out in this regard and calls on French citizens to be confident in the protection of their personal data[ 18].
 Définition de « l’intelligence artificielle » donnée par le Dictionnaire Larousse
 Le Livre Blanc sur l’Intelligence Artificielle, Com (2020) 65 final, 19/02/2020
 Les lignes directrices en matière d’éthique pour une IA digne de confiance, Commission Européenne, 8/04/2019
 Règlement européen (UE) 2016/679 du Parlement européen et du Conseil du 27 avril 2016 relatif à la protection des personnes physiques à l’égard du traitement des données caractère personnel et à la libre circulation de ces données
 Directive Vie Privée 2002/58/CE du 12 juillet 2002 concernant le traitement des données à caractère personnel et la protection de la vie privée dans le secteur des communications électroniques