The Data Protection Authority in Hungary (Nemzeti Adatvédelmi és Információszabadság Hatóság), (NAIH) recently published its annual report which included details of a fine of €670,000 (HUF 250,000,000) being imposed on a bank. To date, this fine is the highest imposed by the Hungarian Authority.
The fine was imposed on foot of the bank’s automatic analysis of recordings of customer service calls, by way of artificial intelligence. The AI analytical system deployed by the bank was designed to analyse and assess callers’ emotional states and keywords used on the calls. The results of this analysis were then stored along with recordings of the calls themselves and this data was used to rank the calls in order of priority to determine the order of contacting callers. The bank maintained the recorded calls for up to 45 days. The results of the analysis were also apparently used by the bank to manage complaints, to monitor call quality, to check work quality and to increase staff efficiency.
Flawed Compliance with GDPR
The NAIH found that the analysis of the recorded calls was not in itself unlawful. However, it did find a number of flaws in the bank’s compliance with the General Data Protection Regulation (GDPR) including the following:
- In the relevant privacy notice, no information in relation to voice analysis by AI or the purpose for such processing was provided and the right to object to the processing was accordingly absent.
- The bank’s justification for data processing was based on its legitimate interest to ensure good levels of customer retention and efficiency. However, the NAIH found that the bank had not adequately considered the so-called balancing of interest test.
- Although the bank had undertaken data protection impact assessments and recognised that some of the processing was high risk to data subjects, it failed to come up with and implement any risk mitigating solutions.
Key Considerations on Using AI
The decision of the NAIH demonstrates that when organisations consider using artificial intelligence to process personal data, they must ensure that:
- data subjects’ rights are properly considered at the outset;
- that any such use (and the related purpose(s)) is transparent and justified in the circumstances; and
- suitable records are maintained by the organisation to demonstrate accountability for compliance with GDPR.
If you have any Data Protection needs or would like further information on this issue, please contact a member of the Technology Department or your usual William Fry contact.
Contributed by Kate Sullivan