Lexology GTDT Market Intelligence provides a unique perspective on evolving legal and regulatory landscapes. This interview is taken from the Artificial Intelligence volume featuring discussion on various topics including, government national strategy on AI, ethics and human rights, AI-related data protection and privacy issues, trade implications for AI and more within key jurisdictions worldwide.
1 What is the current state of the law and regulation governing AI in your jurisdiction? How would you compare the level of regulation with that in other jurisdictions?
Applicable in Greece are EU regulations regarding issues that touch upon AI. Greece also follows most EU initiatives on AI.
Regulation (EU) 2018/1807 regulates the free flow of non-personal data in the European Union. As noted in the Recital of Regulation (EU) 2018/1807, the rapid development of the data economy and emerging technologies, such as AI, are raising novel legal issues surrounding questions of access to and reuse of data, liability, ethics and solidarity. This regulation aims to ensure the free flow of non-personal data within the European Union by laying down rules relating to data localisation requirements, the availability of data to competent authorities and the porting of data for professional users.
Greece has not introduced legislation specifically designed to horizontally regulate AI. As yet, there is also no significant regulation specific to any sector or business activity. However, developers of and those deploying AI are subject to already applicable Greek legislation on fundamental rights (eg, data protection, privacy, non-discrimination), consumer protection and product safety and liability rules. The Greek private law framework (eg, contracts and tort liability, rules on provision of services, producer liability) will also generally apply.
However, the application of traditional legal doctrines and established legal provisions on AI-based products and services can be challenging, especially in the area of intellectual property law (eg, issues of authorship in creative AI) and also in the area of data protection law (eg, possible conflict with the General Data Protection Regulation (EU) 2016/679 (GDPR) principle of accountability). The complexity, openness, autonomy and vulnerability of AI technologies raise the question of whether adjustments need to be made to currently applicable liability regimes.
Law 3908/2011 which introduces tax and other state aid incentives for investment in Greece. The ‘development of new products and new activities’ and in particular ‘robotic technologies, sensors and instruments, electronic systems and automation’ is within the scope of Law 3908/2011.
2 Has the government released a national strategy on AI? Are there any national efforts to create data sharing arrangements?
The Hellenic Ministry of Digital Governance is aiming to develop and publish in 2020 a national strategy on AI, followed by a corresponding action plan on AI. The central element of this initiative is the development of a ‘Bible of the Digital Transformation’, which, according to Digital Governance Minister Kyriakos Pierrakakis, will describe the main strategy of Greece in this field. Digital transformation has been identified by Minister Pierrakakis as a pivotal political and legislative priority, which will contribute to access to interoperable and normalised data, which is the basis for further development of AI applications and systems.
Greece has reportedly already initiated a procedure for mapping of AI initiatives across sectors on a national level, in collaboration and discussion with relevant academic and research stakeholders. The publication of the first part of the Bible of the Digital Transformation will be quickly followed by a national strategy specifically for AI, which will importantly address legislative issues and ethical aspects of AI. The main objective of this initiative will be to set up at least one pilot project per policy sector that will rely on AI technologies.
The National Infrastructures for Research and Technology (GRNET), an organisation operating under the auspices of the Ministry of Digital Governance, is the advanced network, cloud and IT services provider for the Greek educational, academic and research community. GRNET provides, inter alia, high performance computing resources to the Greek and international scientific and research communities, in order to conduct scientific research. GRNET operates the Advanced Research Information System, the national high performance computing system, which supports large-scale scientific applications, particularly in areas such as AI, big data analytics, computational fluid dynamics, cancer research and seismology.
The General Secretariat of Information Systems for Public Administration (GSISPA) is the competent organisation responsible for the cross-sectoral interoperability and the interoperability of all registers of public sector organisations. The Interoperability Centre of the Ministry of Digital Governance is the information system developed by the GSISPA, aiming at the interconnection of the electronic services of the Public Administration (Ministerial Decision 118944/2019). The Interoperability Centre ensures a unified environment and infrastructure for the installation and use of online services, through which operational data is exchanged between the Ministry of Digital Governance and public sector organisations. Moreover, the GSISPA develops, operates and administers the central government Cloud (G-Cloud) infrastructure, which can be used by government agencies to host their information systems. More specifically, according to Law 4623/2019, until 1 January 2022 at the latest, all central electronic applications and central information systems used by public sector organisations (including ministries, independent authorities, legal persons under public law, among others) for transactions with citizens, businesses and public administration, must be transferred and installed on the G-Cloud.
3 What is the government policy and strategy for managing the ethical and human rights issues raised by the deployment of AI?
In December 2018, the European Commission presented a coordinated plan, prepared with member states (with the participation of Greece), to foster the development and use of AI in Europe. The Coordinated Plan on Artificial Intelligence promotes a human-centric approach and ethics-by-design principles, according to which AI technology should be ‘predictable, responsible, verifiable, respect fundamental rights and follow ethical rules’.
The Hellenic Bioethics Commission (HBC) is an independent advisory body of experts offering their expertise to state authorities, primarily examining the interaction between life sciences and contemporary social values. The HBC contributes, inter alia, to policy initiatives, issues opinions and makes proposals for legislation. Among the topics recently examined by the HBC (which touch upon AI issues) is precision medicine and big data in health.
4 What is the government policy and strategy for managing the national security and trade implications of AI? Are there any trade restrictions that may apply to AI-based products?
Noting the early stage of development of AI regulation and policy in Greece, there is currently nothing specific to report. It is expected, however, that national security implications of AI will be within the scope of the national strategy for AI, which currently is being prepared by the Ministry of Digital Governance and is set to be published by the end of 2020.
Specifically in the field of cybersecurity, as recently noted by the Minister of Digital Governance, Greece has strengthened its cooperation with the European Union Agency for Cybersecurity (ENISA, which is based in Greece). Greece has also upgraded the role of the competent authority for cybersecurity (now it is a General Directorate), which is responsible for the national strategy on cybersecurity.
5 How are AI-related data protection and privacy issues being addressed? Have these issues affected data sharing arrangements in any way?
The development and use of AI must generally comply with the GDPR. However, certain principles and obligations introduced by the GDPR challenge the very nature of AI technologies and question their compliance with the said legal rules. For instance, in certain cases, the principle of data minimisation would seem incompatible with the fact that AI largely depends and builds on big data. Furthermore, AI systems often base the results and decisions they produce on complex algorithms and statistical correlations, which are hard (and, in certain cases, even impossible) to explain to data subjects in plain terms. For instance, in the case of profiling, this causes major GDPR compliance issues and challenges the ability to comply with the principle of transparency and the obligation to properly inform data subjects about data processing.
According to the ‘EU guidelines on ethics in artificial intelligence’, prepared by the European Parliamentary Research Service, privacy and personal data must be ensured at all stages of design, building and running of an AI system, while data subjects should be able to have full control over their own data, which should not be used to harm or discriminate against them. Developers of AI systems must implement a privacy-by-design approach and techniques when building an AI system (such as data encryption and data anonymisation) and they should also make system design choices that would ensure the quality of the data, in order to avoid socially constructed bias, inaccuracies, errors and mistakes. Having oversight mechanisms in place can contribute to data sets quality control.
The Hellenic Data Protection Authority (HDPA) has established, on the basis of article 35(4) of the GDPR, a draft list of the types of processing operations that are subject to the requirement for a Data Protection Impact Assessment (DPIA), including reference to indicative examples (DPIA Decision 65/2018). According to the HDPA, conducting a DPIA is needed in case of innovative use or application of new technological or organisational solutions, which can involve novel forms of data collection and usage, possibly with a high risk to individuals’ rights and freedoms; such as the combined use of fingerprint and face recognition for improved physical access control, health applications or other ‘smart’ applications via which user profiles are generated (eg, daily habits), or AI applications, as well as publicly accessible blockchains that include personal data (further requirements apply).
According to recently introduced Law 4623/2019 on reorganisation of administration and digital governance, the Ministry of Digital Governance for the processing of all non-personal data collected and processed by public sector organisations and shall determine the purpose and means of processing of the said data, in particular with the objective of strategic planning and processing, use and storage through the use of new technologies, including:
- the interoperability of information systems and applications;
- data sharing between public sector organisations;
- the use of cloud services;
- open availability; and
- further use of public sector documents and data.
For personal data, in particular, the Ministry of Digital Governance will process such data in the capacity of controller. The processing of personal data will pursue the above-mentioned objectives.
6 How are government authorities enforcing and monitoring compliance with AI legislation, regulations and practice guidance? Which entities are issuing and enforcing regulations, strategies and frameworks with respect to AI?
As highlighted in the White Paper on Artificial Intelligence (A European approach to excellence and trust), which was published in February 2020 by the European Commission, it is important to examine whether EU legislation can be enforced adequately to address the risks that AI systems create, or whether adjustments are needed to specific legal instruments. The same, naturally, applies for Greek legislation.
As previously noted, the Ministry of Digital Governance is already working on a national strategy for AI that will address legislative issues and ethical aspects of AI. This is expected be published by the end of 2020.
Yannis Stournaras, the Governor of the Bank of Greece (which, inter alia, supervises private banks), very recently noted that AI, as an element of supervisory technology (suptech), can be applied in the process of market monitoring and analysis of delinquent behaviour (eg, money laundering, terrorist financing, fraud). It can also predict and offer early warning of a financial crisis.
7 Has your jurisdiction participated in any international frameworks for AI?
On a European level, Greece supports the implementation of AI-related initiatives. In May 2018, Greece signed the ‘Declaration of European Cooperation on AI’ and joined an initiative for boosting Europe’s technology and industrial capacity in AI, with the objective of ensuring an adequate legal and ethical framework for AI, building on EU fundamental rights and values. Greece has also participated in the ‘Coordinated Plan on Artificial Intelligence’, which builds on the ‘Declaration of European Cooperation on AI’, aiming to foster the development and deployment of ethical and secure AI in Europe via joint actions between participating countries in the following key areas:
- increasing investment;
- making more data available;
- fostering talent; and
- ensuring trust.
Greece supports the Confederation of Laboratories for Artificial Intelligence Research in Europe, an initiative by the European AI community that seeks to strengthen AI research and innovation in Europe. Greece also supports the European Lab for Learning and Intelligent Systems, another European initiative for AI, with a mission to promote research excellence and advance breakthroughs in AI in Europe.
Greece further participates to the EU initiative on European High Performance Computing (EU Regulation 2018/1488), with its ultimate objective to develop, deploy, extend and maintain in the EU an integrated world-class supercomputing and data infrastructure and to develop and support a highly competitive and innovative high performance computing ecosystem. High performance computing is vitally linked with the development and use of artificial intelligence models.
8 What have been the most noteworthy AI-related developments over the past year in your jurisdiction?
Over this past year, high-profile multinational technology companies have chosen to invest in and enter the Greek market offering AI-related services. Notably, in February 2020, the Ministry of Digital Governance signed a memorandum of understanding with Amazon Web Services, a cloud computing service provider, for cooperation in the areas of digital governance, innovation, digital infrastructure, cloud skills education and the Greek state’s digitalisation programme.
In 2019, DeepBlue Technology, a leading Chinese firm in the AI technology industry, also announced its entry into the Greek market, with AI applications in the areas of public transportation, payment methods, retail and the overall contemporary urban environment. Reportedly, DeepBlue Technology will transfer know-how on big data, AI and cloud technology and will develop AI applications in Greece, contributing to the creation of new high skill jobs.
The Artificial Intelligence Centre of Excellence is the work of a collaboration between the National Centre for Scientific Research and Ernst & Young, having been established in 2019. The Artificial Intelligence Centre of Excellence will primarily focus on the field of intelligent document analysis and will contribute to the efforts towards Greece’s national AI policy.
9 Which industry sectors have seen the most development in AI-based products and services in your jurisdiction?
The banking sector is among the sectors that have seen noteworthy development in AI-based products and services in Greece. Fintech builds on AI and big data in order to provide customer service (via chatbots), but also in order to offer personalised products, services and financial advice for customers, based on each individual’s profile. AI is also used for risk management (eg, in order to perform more efficient credit analysis). Real-time AI analytics are further being used by banking institutions to detect and block online fraudulent activity and improve their protection against cyberthreats and increase their operating resilience.
The health sector, as well, has significantly benefited from the implementation of AI technologies. For instance, in the field of clinical trials, monitoring of the health of participating patients can generally expedite the procedure, offering researchers additional and more complete sets of data (eg, via the use of wearable devices). Notably, Watson for Oncology, an AI system developed by IBM, is already being used by a private hospital in Greece. This AI tool assesses information from a patient’s medical record and displays potential treatment options based on information from relevant medical guidelines, best practices, journals and textbooks.
The digital marketing sector has also benefited from the use of AI technologies, using AI solutions that offer personalised ads recommendations for revenue optimisation.
10 Are there any pending or proposed legislative or regulatory initiatives in relation to AI?
In 2019, Greece established a standing scientific committee to examine the effects on the judicial system of the introduction of AI. The committee will consider new technological developments in the field of AI and will prepare and submit regulatory proposals to the Minister of Justice, Transparency and Human Rights for the modernisation of the Greek legal framework and the protection of the rights of affected individuals.
Greece has not yet transposed Directive (EU) 2019/1024 on open data and the re-use of public sector information into the Greek legal framework, the deadline for transposition being 17 July 2021. Implementation of Directive (EU) 2019/1024 aims to bring the European legislative framework up to date with the advances in digital technologies, to further stimulate digital innovation, especially with regard to artificial intelligence, and is expected to generally contribute to the creation of new services and new applications, which are built upon the use, aggregation or combination of data.
11 What best practices would you recommend to assess and manage risks arising in the deployment of AI?
AI applications are likely to pose high risks for citizens and our society in general and, as such, ensuring that AI is trustworthy, secure and in compliance with established ethical values and rules must be a priority for developers, those deploying AI, regulators and enforcement authorities.
Developers of and those deploying AI systems must design a risk assessment process before the development and deployment of the AI systems. Importantly, since AI systems can, under certain circumstances, evolve over time, the risk assessment process needs to be frequently re-evaluated. It can often be a challenging exercise to use traditional risk assessment frameworks to deal with risks posed by AI technologies. For instance, assessing the risk of automation bias is largely dependent upon the definition, evaluation and measurement of concepts such as ‘fairness’.
The principle of accountability, as introduced by the GDPR, requires that developers of and those deploying AI systems are responsible for the compliance of such systems with the data protection legislation. It also requires that they assess and mitigate risks to rights and freedoms that AI can pose and document how the AI systems are compliant with applicable data protection rules, primarily the GDPR.
In compliance with the GDPR principle of fairness, AI systems must be sufficiently statistically accurate, meaning that, for example, when an AI system is used to make inferences about individuals, it must be ensured that it produces statistically informed guesses, which are accurate at an acceptable rate (taking into account the risks involved for individuals on a case-by-case basis) and do not lead to unfair or negative outcomes for individuals. It is advisable that possible complaints and rights requests by affected individuals for statistically inaccurate outputs are documented and also, on a regular basis, that indicative AI decisions are reviewed by for statistical accuracy. Having in place appropriate measures to evaluate statistical accuracy from the design phase and implementing regular monitoring and testing mechanisms, apart from being a best practice, it arguably also constitutes part of the GDPR obligation to implement data protection by design and by default.
Addressing risks of automation bias is a major challenge in the deployment of AI, especially in cases of automated decision-making, when AI is used to inform legal or similarly significant decisions about individuals. As a matter of best practice, developers of and those deploying AI projects should have controls in place to identify and mitigate automation bias at all stages and implementation milestones of the project, including the early scoping and design phases and also development and deployment. Human review is essential for addressing automation bias and in order for this to be meaningful and effective, it needs to be supported by design requirements developed at the early stages of the AI project.
The Inside Track
What skills and experiences have helped you to navigate AI issues as a lawyer?
Our understanding of the underlying technical aspects and economic issues of the cutting-edge products and services we advise on, has proved to be a main comparative advantage. Ballas, Pelecanos & Associates LPC has also been, since 2013, the exclusive Greek member of Lexing, the first international network of lawyers dedicated to digital and advanced technology law and data protection.
Which areas of AI development are you most excited about and which do you think will offer the greatest opportunities?
There is no doubt that AI is rapidly changing the world we live in, having a transformative effect on all sectors of the economy. AI is also redefining art and our perception for art, changing the nature of creative processes and having already, as a consequence, a significant impact on culture. AI technologies are increasingly used in art, generating quality works, which effectively prove that non-biological agents lacking consciousness can be creative. While the influence and use of AI on entertainment media is likely to increase in the near future (especially in the video games, film and music industries), there are legal considerations attached to the use of AI for creative purposes, pushing the boundaries of intellectual property law.
What do you see as the greatest challenges facing both developers and society as a whole in relation to the deployment of AI?
One of the greatest challenges is determining liability and choosing or forming the right liability regime to deal with the risks and harms connected with the deployment of AI. Advanced AI systems with self-learning and autonomous capabilities will often raise the question of how unpredictable deviations in the decision-making path, making the cause and effect relationships indistinguishable, need to be treated.
Likewise, the issue of possible appointment of legal personality (rights and obligations) to autonomous AI systems will also be challenging. This issue has ceased to be merely theoretical. Very recently the European Patent Office refused two European patent applications in which an AI system was designated as the inventor, arguing they do not meet the legal requirement of the European Patent Convention that an inventor designated in the application has to be a human being.