Data regulators need to push for a “global consensus” around the ethical use of personal information, particularly as technologies such as Artificial Intelligence (AI) are taking a greater role in decision making, says one of the EU’s top privacy enforcers.

European Data Protection Supervisor Giovanni Buttarelli told attendees at the 40th International Conference of Data Protection and Privacy Commissioners in Brussels that there is currently “no ethical consensus” about data use.

“We do not have a consensus in Europe, and we certainly do not have one at a global level,” said Buttarelli. “But we urgently need one. Because digital technologies and data flows are already intensely global.” He also warned that “self-regulation alone is not the solution.”

Buttarelli said that ethics is among the “most pressing strategic challenges” for data protection authorities and warned that regulators need to “understand technology” so that they can “articulate a coherent ethical framework.”

“Otherwise, how can we perform our mission to safeguard human rights in the digital age?” he asked.

In particular, Buttarelli singled out algorithms that can make “informed” decisions as a key risk area, citing the fact that such technology is already responsible for deciding around 70 percent of the content that is viewed on the internet and social media sites through processing personal data—not necessarily responsibly.

“We need a critical understanding of the ethics informing decisions by companies, governments, and regulators whenever they develop and deploy new technologies” said Buttarelli, as “we are fast approaching a period where design, deployment, and control of new technologies and technological processes are delegated to machines.”

“The fact is that the European legislator did not think about ethics when it drafted the GDPR. In fact, the regulation only refers three times to ethical considerations in specific professions, like research.”

Giovanni Buttarelli, European Data Protection Supervisor

Buttarelli flagged up several areas where crucial decision making has been left to machines, such as in killer drones, and pointed out that just last month at the United Nations, “delegates were unable to reach agreement even to start discussions on how to control them.”

Other areas of concern include using algorithmic decision making in criminal sentencing and by social media companies “whose unaccountable algorithmic decision making has been weaponised by bad actors in ethnic conflict zones, with at times appalling human consequences, notably in Myanmar.”

On 23 October, the day before the conference began, data commissioners from several EU member states, as well as Canada, Hong Kong, Argentina, and the Philippines, agreed to a set of guiding principles regarding ethics, monitoring, and enforcement on AI. These underlined that developments and increased use of the technology need to ensure fairness, transparency, and accountability and that users must retain control over their own data.

Buttarelli told attendees that guiding principles and best practices can ensure that users’ rights to privacy and data protection remain paramount, even when they are meant to be enshrined in legislation—namely the EU General Data Protection Regulation (GDPR).

“The fact is that the European legislator did not think about ethics when it drafted the GDPR. In fact, the regulation only refers three times to ethical considerations in specific professions, like research,” said Buttarelli.

“This is not a criticism of the GDPR. It is a reality check on the limitations of any law, even a comprehensive one. Laws establish the minimum standard. Best practices are assumed to go beyond the minimum standard. So for me, compliance with the law is not enough,” he added.

Apple, Facebook, and Google were among the major technology and social media companies that took part in the conference and all pledged to improve how they use data and promised to give users better control over how their personal information is managed.

Apple Chief Executive Tim Cook said the company supports a U.S.-style data protection law that mirrors GDPR and criticised companies that profited from people’s data that was then used to manipulate political campaigns and incite violence.