Better alone than in bad company: Addressing the risks of companion chatbots through data protection by design

IF 3.3 3区社会学 Q1 LAW

Computer Law & Security Review Pub Date : 2024-07-25 DOI:10.1016/j.clsr.2024.106019

Pierre Dewitte

{"title":"Better alone than in bad company: Addressing the risks of companion chatbots through data protection by design","authors":"Pierre Dewitte","doi":"10.1016/j.clsr.2024.106019","DOIUrl":null,"url":null,"abstract":"<div><p>Recent years have seen a surge in the development and use of companion chatbots, conversational agents specifically designed to act as virtual friends, romantic partners, life coaches or even therapists. Yet, these tools raise many concerns, especially when their target audience is comprised of vulnerable individuals. While the recently adopted AI Act is expected to address some of these concerns, both compliance and enforcement are bound to take time. Since the development of companion chatbots involves the processing of personal data at nearly every step of the process, from training to fine-tuning to deployment, this paper argues that the General Data Protection Regulation (“GDPR”), and data protection by design more specifically, already provides a solid ground for regulators and courts to force controllers to mitigate these risks. In doing so, it sheds light on the broad material scope of Articles 24(1) and 25(1) GDPR, highlights the role of these provisions as proxies to Fundamental Rights Impact Assessments (“FRIAs”), and peels off the many layers of personal data processing involved in the companion chatbots supply chain. That reasoning served as the basis for a complaint lodged with the Belgian data protection authority, the full text and supporting evidence of which are provided as supplementary materials.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106019"},"PeriodicalIF":3.3000,"publicationDate":"2024-07-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Law & Security Review","FirstCategoryId":"90","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0267364924000852","RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"LAW","Score":null,"Total":0}

引用次数: 0

Abstract

Recent years have seen a surge in the development and use of companion chatbots, conversational agents specifically designed to act as virtual friends, romantic partners, life coaches or even therapists. Yet, these tools raise many concerns, especially when their target audience is comprised of vulnerable individuals. While the recently adopted AI Act is expected to address some of these concerns, both compliance and enforcement are bound to take time. Since the development of companion chatbots involves the processing of personal data at nearly every step of the process, from training to fine-tuning to deployment, this paper argues that the General Data Protection Regulation (“GDPR”), and data protection by design more specifically, already provides a solid ground for regulators and courts to force controllers to mitigate these risks. In doing so, it sheds light on the broad material scope of Articles 24(1) and 25(1) GDPR, highlights the role of these provisions as proxies to Fundamental Rights Impact Assessments (“FRIAs”), and peels off the many layers of personal data processing involved in the companion chatbots supply chain. That reasoning served as the basis for a complaint lodged with the Belgian data protection authority, the full text and supporting evidence of which are provided as supplementary materials.

查看原文本刊更多论文

独乐乐不如众乐乐：通过设计数据保护应对伴侣聊天机器人的风险

近年来，伴侣聊天机器人的开发和使用激增，这些对话代理专门设计用来充当虚拟朋友、浪漫伴侣、生活教练甚至治疗师。然而，这些工具引发了许多担忧，尤其是当其目标受众是弱势群体时。虽然最近通过的《人工智能法》有望解决其中一些问题，但合规和执法都需要时间。由于伴侣聊天机器人的开发从培训、微调到部署，几乎每一步都涉及到个人数据的处理，因此本文认为，《通用数据保护条例》（"GDPR"）以及更具体的数据保护设计已经为监管机构和法院提供了坚实的基础，迫使控制者降低这些风险。在此过程中，它阐明了《一般数据保护条例》第 24(1)条和第 25(1)条的广泛实质范围，强调了这些条款作为基本权利影响评估（"FRIA"）代理的作用，并剥离了伴侣聊天机器人供应链中涉及的多层个人数据处理。该推理是向比利时数据保护机构投诉的依据，其全文和佐证作为补充材料提供。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computer Law & Security Review LAW-

CiteScore

5.60

自引率

10.30%

发文量

审稿时长

67 days

期刊介绍： CLSR publishes refereed academic and practitioner papers on topics such as Web 2.0, IT security, Identity management, ID cards, RFID, interference with privacy, Internet law, telecoms regulation, online broadcasting, intellectual property, software law, e-commerce, outsourcing, data protection, EU policy, freedom of information, computer security and many other topics. In addition it provides a regular update on European Union developments, national news from more than 20 jurisdictions in both Europe and the Pacific Rim. It is looking for papers within the subject area that display good quality legal analysis and new lines of legal thought or policy development that go beyond mere description of the subject area, however accurate that may be.