Legal Considerations When Implementing Machine Learning Algorithms in Your Business
If you are a business looking to implement machine learning for your company or for another business, this resource will provide you with a better understanding of the various legal areas that you need to consider.
It is clear that data is ultimately the fuel of our economy today. Throughout the last few decades, there has been a significant shift towards implementing an online economy in which data is shared and exchanged at unprecedented levels. Whether it’s a social media giant like Facebook or a small business collecting customer data, your personal data protection has become increasingly important and has been subjected to regulation and scrutiny over the last several years.
For many businesses, leveraging large data sets to understand their customers and create better products is a core business function. Machine learning algorithms are used to create better prediction models and improve the overall customer experience.
For example, a bank may use machine learning to predict a customer’s ability to repay loans. Similarly, an advertising platform may utilise this machine learning to predict whether a user may be more likely to purchase a particular product.
Regardless of the purpose your business has around collecting and processing data, it is critical to understand and adhere to your legal obligations. It is important to be well-versed on the laws and regulations that guide and protect data privacy in Australia as well as other laws that can impact your business, such as the GDPR.
Which Australian laws guide data and machine learning?
Automated Decision-making Practices
Generally speaking, systems that involve automated decision-making fall under the guiding principles for automated systems. Automated systems must comply with administrative legal principles of fairness, rationality, and transparency. In addition, they must comply with the fundamental privacy and human rights requirements.
According to Commonwealth Ombudsman, an automated system should be efficient, accessible, accurate as well as take into consideration the needs of vulnerable and non-digital ready users. The implementation of automated decision-making is also governed by the provisions of the Social Security (Administration) Act 1999 (Cth).
It is important to note that a machine learning algorithm can often be viewed as an automated system.
When creating an automated system, Administrative law, privacy requirements, and human rights responsibilities should be integrated into the function and design of an automated system.
Data Collection & Use
On many occasions, a machine learning algorithm will rely on personal data and information. If that’s the case, then you need to ensure that your data collection and usage practices adhere to the Australian privacy laws.
The core legislation that regulates data collection and uses in Australia is the Commonwealth Privacy Act 1988. This Act, in particular, applies to all Australian businesses that:
- have an annual turnover of $3 million AUD or more; or
- trade in personal information; or
- have a contract with the Commonwealth Government; or
- provide a health service.
There are 13 Australian Privacy Principles to be aware of.
- Open and transparent management of personal information
- Anonymity and pseudonymity
- Collection of solicited personal information
- Dealing with unsolicited personal information
- Notification of the collection of personal information
- Use or disclosure of personal information
- Direct marketing
- Cross-border disclosure of personal information
- Adoption, use, or disclosure of government related identifiers
- Quality of personal information
- Security of personal information
- Access to personal information
- Correction of personal information
Some of these principles may or may not directly apply to your business. However, it’s recommended to familiarise yourself with these practices and take any required action or change to fulfill the requirements. To learn more about the specific guidelines of these principles, check out the Australian Privacy Principles Quick Reference.
Other Data Protection Regulations
If your business interacts or deals with users (customers) from other parts of the world, it most likely has to follow specific regulations of these territories.
While almost every country has its own legal framework for regulating data privacy, there 3 main regulations Australian businesses need to be aware of:
- EU GDPR – The European Union General Data Protection Regulation
- UK GDPR – The United Kingdom General Data Protection Regulation
- CCPA – California Consumer Privacy Act
These regulations apply to businesses that are established in their respective territories but also businesses that offer services to individuals based in these territories. And so, if your business provides (or plans on providing) services or interacts with customers outside of Australia, it’s important to consider the international data privacy laws that can directly impact your business.
If your business is developing or planning on developing machine learning algorithms as a primary or secondary business initiative, it’s important to familiarise yourself and adhere to the guiding principles, regulations and legislation mentioned in this resource.
If you need assistance to ensure your machine learning framework adheres to various local and international laws and regulations, contact our business law team or call us at 02 8644 6000, and we’ll be happy to discuss all your legal requirements.