Microsoft Copilot in the news for GDPR reasons
This is the first of many new postings I’ll be doing on the broad themes of AI and Privacy regulation, as well as on tools and frameworks for dealing with the challenges they bring. I’ll focus on how they impact the online digital services and online product landscape..
Last week, the Norwegian data privacy regulator released their final report from their latest “AI sandbox” project to reach completion. As a collaboration between the regulator and with the largest Norwegian technical university (NTNU), it described how the regulator and the university jointly analysed the challenge of responsibly - and legally - deploying Copilot for use in an enterprise context. This report didn’t get much coverage internationally, possibly because it’s only available right now in Norwegian. It really should have gotten more press, because the implications of their analysis are potentially huge.
To my knowledge this is possibly the first time a European national data privacy regulator (not the EU’s AI Office) has publicly staked out a detailed position on the regulatory implications of an AI-powered system for a deployer of a very specific and popular real-world office application suite. Other national regulators will certainly be paying close attention.
The TL/DR summary is that it is indeed legally possible to deploy Copilot (wahay!) And…that there are some important “buts” to be considered.
Organisations need to work through these key questions before rushing to hit the “go” button on Copilot:
Get solid control, because Copilot sees almost everything you can see: make sure access rights to drives, folders and documents containing personal data - whether for staff or customers - are tightly controlled and that policies governing who has access are clear to everyone
Define and limit the purposes Copilot can be used for: Copilot is a chat interface, so people can - in theory - ask it to do anything. So you need to be crystal clear with your leadership and with your staff about the types of purpose your company allows Copilot to be used for and on what is off limits. Microsoft also provides tools to help manage this.
(Re-)consider the legitimacy of the GDPR legal bases your company leverages for each processing purpose that could involve Copilot: consider, among other things, whether the relevant people (potentially including your staff and your customers) are transparently informed that their personal data might be processed using AI tools.
Consider and act on the privacy consequences: the risks of using this new technology are difficult to quantify without detailed analysis and accountable decision-making for each type of processing purpose, so the Norwegian regulator recommends doing a Data Protection Impact Assessment (DPIA) for each and every type of purpose your organisation intends to use Copilot for. That sounds scary, but - with some focused effort - it is completely possible.
Make sure everyone using Copilot understands what AI is, how it works and how to use Copilot responsibly: this seems obvious, but it’s too easy to jump over this important communications and educational task
National laws haven’t gone away: check that the access Copilot gives to email and other private communications doesn’t contradict any laws in your country governing communications confidentiality and similar issues.
Don’t rush it: take it step by step, testing and monitoring for unexpected and risky incidents along the way.
The other key takeaway is the pattern this sets for how GDPR should be considered in the adoption of other business tools that process personal and other data collected across the enterprise. Pretty much every tool I’ve used in my career as a product manager now has AI-driven virtual assistants and agents to help boost the productivity of their users, including many in the user data analytics and consumer marketing spaces.Within the EU and in an enterprise context, organisations will need to thoughtfully considered these in a very similar way to this “sandbox” approach to Copilot.
That’s my two cents. Feel free to pepper this with comments from far and wide!