The Data Protection Authority in Hungary (Nemzeti
Adatvédelmi és
Információszabadság Hatóság),
(NAIH) recently published its annual report which included details
of a fine of €670,000 (HUF 250,000,000) being imposed on a
bank. To date, this fine is the highest imposed by the Hungarian
Authority.
The fine was imposed on foot of the bank's automatic analysis
of recordings of customer service calls, by way of artificial
intelligence. The AI analytical system deployed by the bank was
designed to analyse and assess callers' emotional states and
keywords used on the calls. The results of this analysis were then
stored along with recordings of the calls themselves and this data
was used to rank the calls in order of priority to determine the
order of contacting callers. The bank maintained the recorded calls
for up to 45 days. The results of the analysis were also apparently
used by the bank to manage complaints, to monitor call quality, to
check work quality and to increase staff efficiency.
Flawed Compliance with GDPR
The NAIH found that the analysis of the recorded calls was not in itself unlawful. However, it did find a number of flaws in the bank's compliance with the General Data Protection Regulation (GDPR) including the following:
- In the relevant privacy notice, no information in relation to voice analysis by AI or the purpose for such processing was provided and the right to object to the processing was accordingly absent.
- The bank's justification for data processing was based on its legitimate interest to ensure good levels of customer retention and efficiency. However, the NAIH found that the bank had not adequately considered the so-called balancing of interest test.
- Although the bank had undertaken data protection impact assessments and recognised that some of the processing was high risk to data subjects, it failed to come up with and implement any risk mitigating solutions.
Key Considerations on Using AI
The decision of the NAIH demonstrates that when organisations consider using artificial intelligence to process personal data, they must ensure that:
- data subjects' rights are properly considered at the outset;
- that any such use (and the related purpose(s)) is transparent and justified in the circumstances; and
- suitable records are maintained by the organisation to demonstrate accountability for compliance with GDPR.
Contributed by Kate Sullivan
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.