- From: Harshvardhan J. Pandit <me@harshp.com>
- Date: Wed, 13 Dec 2023 16:41:47 +0000
- To: Data Privacy Vocabularies and Controls Community Group <public-dpvcg@w3.org>
Hi. The Commission has published a Q&A on the AI Act, which provides a summary on the agreed final draft. One of the important conclusions is the FRIA - Fundamental Rights Impact Assessments, and the information to be contained within it. See https://ec.europa.eu/commission/presscorner/detail/en/QANDA_21_1683 DPV covers all the broad information categories (which makes me happy) - and shows that aligning AI concepts to the DPV structure has benefits in 'shared assessments' e.g. FRIA & DPIA - see last para. Pragmatically, this means the 'Risk' extension with its taxonomy of Consequence and Impact should also be useful here, and any method to associate risk to rights/freedoms would be applicable for all such assessments (GDPR, DSA, DGA, AI Act). Below I comment on the information required for FRIA and which DPV concepts can be used for it. --- Q: What is a fundamental rights impact assessment? Who has to conduct such an assessment, and when? The assessment shall consist of: 1) a description of the deployer's processes in which the high-risk AI system will be used, -- this can be `dpv:Purpose` + `dpv:Process` (and optionally `dpv:Service`) 2) of the period of time and frequency in which the high-risk AI system is intended to be used, -- this can be `dpv:Duration` + `dpv:Frequency` 3) of the categories of natural persons and groups likely to be affected by its use in the specific context, -- `dpv:NaturalPerson` (and sub-categories as groups) associated using `dpv:hasImpactOn` (likelihood using `dpv:Likelihood`) 4) of the specific risks of harm likely to impact the affected categories of persons or group of persons, -- this can be `dpv:Risk` + `dpv:hasImpact` `dpv:Harm` (and other risk concepts) 5) a description of the implementation of human oversight measures and of measures to be taken in case of the materialization of the risks. -- this can be `dpv:RiskMitigationMeasure` + `dpv:HumanInvolvementForOversight` (note that technically these would be mitigating the consequences/impacts, and funny enough there isn't any assessment of how to avoid these from arising - hope the Act will have it) If the provider already met this obligation through the data protection impact assessment, the fundamental rights impact assessment shall be conducted in conjunction with that data protection impact assessment. -- from a rudimentary analysis, the only differences from DPIA are the AI specific concepts (risks, processes, mitigation measures) and the requirement for human oversight. So existing DPV uses for DPIA should be adaptable for FRIA. --- Regards, -- --- Harshvardhan J. Pandit, Ph.D Assistant Professor ADAPT Centre, Dublin City University https://harshp.com/
Received on Wednesday, 13 December 2023 16:41:55 UTC