Datatilsynet (Denmark) - 2023-212-0015: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Denmark |DPA-BG-Color= |DPAlogo=LogoDK.png |DPA_Abbrevation=Datatilsynet |DPA_With_Country=Datatilsynet (Denmark) |Case_Number_Name=2023-212-0015 |ECLI= |Original_Source_Name_1=Digitaliseringsstyrelsen |Original_Source_Link_1=https://www.datatilsynet.dk/afgoerelser/afgoerelser/2023/nov/udtalelse-om-behandlingsgrundlag-til-udvikling-og-drift-af-ai-loesning-inden-for-sundheds-og-omsorgsomraadet |Original_Source_Language_1=Danish |Original_...") |
m (→Comment) |
||
(4 intermediate revisions by the same user not shown) | |||
Line 61: | Line 61: | ||
}} | }} | ||
The Danish DPA | The Danish DPA issued a negative opinion regarding the City of Copenhagen’s plan to develop AI tools to identify citizens in need of rehabilitation, as the national law relied upon for the purposes of [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]] and [[Article 6 GDPR#3|Article 6(3) GDPR]] was not specific enough in relation to the scope of the AI’s use. | ||
== English Summary == | == English Summary == | ||
Line 67: | Line 67: | ||
=== Facts === | === Facts === | ||
On 22 March 2023, the City of Copenhagen requested the Danish DPA to issue an opinion on whether they could lawfully develop and implement an AI tool to identify citizens in need of rehabilitation. | On 22 March 2023, the City of Copenhagen requested the Danish DPA to issue an opinion on whether they could lawfully develop and implement an AI tool to identify citizens in need of rehabilitation. | ||
In this request, the City submitted the following information in relation to the sources of data used and the purposes of processing: | |||
In this request, the City submitted the following information in relation to the sources of data used, legal basis for processing and the purposes of processing: | |||
Firstly, the purpose of the algorithm was intended to help make rehabilitation services available to a wider demographic. It was not intended to deprive citizens who would normally be entitled to rehabilitation services, but rather to assist municipal staff in identifying which other citizens were in need of rehabilitative assistance. | Firstly, the purpose of the algorithm was intended to help make rehabilitation services available to a wider demographic. It was not intended to deprive citizens who would normally be entitled to rehabilitation services, but rather to assist municipal staff in identifying which other citizens were in need of rehabilitative assistance. | ||
Secondly, the sources of data which the City wished to process were national patient medical records, these records included information such as patients’ social security number, age, date of birth, and gender. | Secondly, the sources of data which the City wished to process were national patient medical records, these records included information such as patients’ social security number, age, date of birth, and gender. | ||
Thirdly, the City wished to rely on Articles 6(1)(e) and 9(1)(g) GDPR. Under [[Article 6 GDPR#3|Article 6(3) GDPR]], reliance on [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]] as a legal basis for processing must be laid down by Union law or Member State law. As a result, the City of Copenhagen submitted that they were relying on section 86 of the Danish Social Services Act. Section 86 provides that the local council must offer rehabilitation services to residents who have physical impairment. | |||
Thirdly, the City wished to rely on [[Article 6 GDPR|Articles 6(1)(e)]] and [[Article 9 GDPR|9(1)(g) GDPR]]. Under [[Article 6 GDPR#3|Article 6(3) GDPR]], reliance on [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]] as a legal basis for processing must be laid down by Union law or Member State law. As a result, the City of Copenhagen submitted that they were relying on [https://english.sm.dk/media/14900/consolidation-act-on-social-services.pdf section 86] of the Danish Social Services Act. Section 86 provides that the local council must offer rehabilitation services to residents who have physical impairment. | |||
=== Holding === | === Holding === | ||
The Danish DPA | The Danish DPA issued a negative opinion regarding the City’s plan to develop the AI tool, because the national law relied upon did not define the scope of the AI tool’s use. | ||
The DPA concluded that the use of the AI tool would constitute high-risk processing, as the AI tool would produce a decision-supporting prediction about an individual citizen, which would influence the citizen's access to health care services. Even though the AI tool was not intended to deprive residents of rehabilitation services and was intended to have positive consequences, its use could still be intrusive for data subjects. | The DPA concluded that the use of the AI tool would constitute high-risk processing, as the AI tool would produce a decision-supporting prediction about an individual citizen, which would influence the citizen's access to health care services. Even though the AI tool was not intended to deprive residents of rehabilitation services and was intended to have positive consequences, its use could still be intrusive for data subjects. | ||
Consequently, the City’s reliance on section 86 of the Danish Social Services Act was insufficient. Section 86 only imposed a legal obligation on local councils to provide rehabilitation services, but it did not define the scope of the AI’s use or provide guidelines for its implementation. Therefore, the City could not rely on section 86 for the purposes of [[Article 6 GDPR#3|Article 6(3) GDPR]]. | Consequently, the City’s reliance on section 86 of the Danish Social Services Act was insufficient. Section 86 only imposed a legal obligation on local councils to provide rehabilitation services, but it did not define the scope of the AI’s use or provide guidelines for its implementation. Therefore, the City could not rely on section 86 for the purposes of [[Article 6 GDPR#3|Article 6(3) GDPR]]. | ||
== Comment == | == Comment == | ||
' | The Danish DPA did not clarify whether the City's request for an opinion was a request for prior consultation under [[Article 36 GDPR]]. | ||
== Further Resources == | == Further Resources == |
Latest revision as of 12:38, 29 November 2023
Datatilsynet - 2023-212-0015 | |
---|---|
Authority: | Datatilsynet (Denmark) |
Jurisdiction: | Denmark |
Relevant Law: | Article 6(1)(e) GDPR Article 6(3) GDPR |
Type: | Advisory Opinion |
Outcome: | n/a |
Started: | |
Decided: | 17.11.2023 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 2023-212-0015 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Danish |
Original Source: | Digitaliseringsstyrelsen (in DA) |
Initial Contributor: | n/a |
The Danish DPA issued a negative opinion regarding the City of Copenhagen’s plan to develop AI tools to identify citizens in need of rehabilitation, as the national law relied upon for the purposes of Article 6(1)(e) GDPR and Article 6(3) GDPR was not specific enough in relation to the scope of the AI’s use.
English Summary
Facts
On 22 March 2023, the City of Copenhagen requested the Danish DPA to issue an opinion on whether they could lawfully develop and implement an AI tool to identify citizens in need of rehabilitation.
In this request, the City submitted the following information in relation to the sources of data used, legal basis for processing and the purposes of processing:
Firstly, the purpose of the algorithm was intended to help make rehabilitation services available to a wider demographic. It was not intended to deprive citizens who would normally be entitled to rehabilitation services, but rather to assist municipal staff in identifying which other citizens were in need of rehabilitative assistance.
Secondly, the sources of data which the City wished to process were national patient medical records, these records included information such as patients’ social security number, age, date of birth, and gender.
Thirdly, the City wished to rely on Articles 6(1)(e) and 9(1)(g) GDPR. Under Article 6(3) GDPR, reliance on Article 6(1)(e) GDPR as a legal basis for processing must be laid down by Union law or Member State law. As a result, the City of Copenhagen submitted that they were relying on section 86 of the Danish Social Services Act. Section 86 provides that the local council must offer rehabilitation services to residents who have physical impairment.
Holding
The Danish DPA issued a negative opinion regarding the City’s plan to develop the AI tool, because the national law relied upon did not define the scope of the AI tool’s use.
The DPA concluded that the use of the AI tool would constitute high-risk processing, as the AI tool would produce a decision-supporting prediction about an individual citizen, which would influence the citizen's access to health care services. Even though the AI tool was not intended to deprive residents of rehabilitation services and was intended to have positive consequences, its use could still be intrusive for data subjects.
Consequently, the City’s reliance on section 86 of the Danish Social Services Act was insufficient. Section 86 only imposed a legal obligation on local councils to provide rehabilitation services, but it did not define the scope of the AI’s use or provide guidelines for its implementation. Therefore, the City could not rely on section 86 for the purposes of Article 6(3) GDPR.
Comment
The Danish DPA did not clarify whether the City's request for an opinion was a request for prior consultation under Article 36 GDPR.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
Skip the main navigation Search Statement on the basis of treatment for the development and operation of AI solutions within the health and care sector Date: 17-11-2023 Decision Public authorities Response to inquiry Processing basis At the request of Copenhagen Municipality, the Danish Data Protection Authority has assessed whether the municipality has the authority to develop, operate and retrain an AI solution that can identify citizens in need of maintenance training and rehabilitative efforts. Journal number: 2023-212-0015. 1. The inquiry On 22 March 2023, the Municipality of Copenhagen requested the Danish Data Protection Authority for an assessment of whether the municipality is authorized to develop, operate and retrain an AI solution that can identify citizens in need of maintenance training and rehabilitative efforts. It should be noted at the outset that the Danish Data Protection Authority has only assessed the question of whether the Municipality of Copenhagen has a processing basis for the development, operation and retraining of the solution in question. The Danish Data Protection Authority has thus not looked further into any other data protection law or health law issues. 2. The Danish Data Protection Authority's assessment It is the Danish Data Protection Authority's assessment that the development, operation and retraining of an AI solution where personal data and special categories of personal data are processed with the aim of predicting citizens' need for and benefit from rehabilitation in order to avoid functional impairment can generally be done on the basis of the data protection regulation's article 6 pieces. 1, letter e, and Article 9, subsection 2, letter g. However, both provisions require a so-called supplementary national legal basis. Processing of personal data for the development, including retraining, of the solution can, in the Danish Data Protection Authority's assessment, be done with reference to the existing provisions in the Services Act, which obliges the municipality to make a decision on and deliver maintenance training and rehabilitative efforts. Processing of personal data as part of the operation of the solution cannot, however, take place within the framework of these provisions, as there is not a sufficiently clear legal basis in light of how intrusive a processing activity is. This assessment is explained in more detail below. 3. The background for the assessment The Municipality of Copenhagen has stated that, based on its own data, the municipality wishes to develop, commission and retrain an AI solution that can identify citizens in need of maintenance training. The solution will be used as decision support by case managers in the municipality's health and care administration. The municipality has provided the following information about the purpose of the AI solution: "With the project, [the municipality] wants to use two algorithms to maintain the citizens' functional level for as long as possible for the benefit of the citizen himself. This is also beneficial for [the municipality], because it can postpone the citizens' need for help from the administration. The purpose is thus to ensure that citizens receive the right maintenance training or rehabilitative efforts in a timely manner so that they can manage on their own for as long as possible, and that the need for help from the administration is postponed. The algorithm is not intended to result in persons who would normally be offered this training or rehabilitation being deprived of this opportunity. It is intended to help the municipality's staff, so that more citizens - where relevant - can benefit from training and rehabilitation." Copenhagen Municipality has also provided the following information about the AI solution: "The algorithm constitutes a decision support tool. The algorithm can identify with relatively high accuracy which citizens can complete a training course and who will benefit from the course. The algorithm must thus, on the basis of a statistically based analysis, support the individual visitor's professional assessment of which citizens will benefit from maintenance training or a rehabilitative effort. The algorithm is intended as an aid to support the employees in [the municipality's] assessment of who can benefit from the rehabilitation course. [...] The algorithm must then be trained on [the municipality's] information. It is intended that information for training the algorithm should come from historical cases.” Finally, Copenhagen Municipality has generally stated that personal data originating from three general situations will be processed: "Personal information included in cases which also constitute patient records. It concerns information from cases from the municipal nursing service. It can also be information from training places, e.g. therapists. [The municipality] is also responsible for preventive measures according to Section 119 of the Health Act, and in this connection there are also cases where information is included that is part of a patient record. Personal information received by the visitation in order to be able to award a benefit in accordance with the Service Act. [The municipality] inspects and makes a decision on the allocation of benefits in accordance with certain provisions of the Services Act. This primarily concerns benefits for citizens over 65 years of age. However, all cancer patients will be examined and a decision made in [the municipality]. Personal information necessary to be able to carry out the task of providing the assigned service from the visitation. In addition, [the municipality] also has a large number of personal data that is used as part of the actual implementation of the decisions made pursuant to section 2. This personal data is processed so that it is possible for e.g. the home care and the rehabilitation centers to carry out their tasks.” There will thus, among other things, be processed personal data about: The citizen's social security number, age, date of birth and gender, whether the citizen has been offered rehabilitation by a helper, whether the citizen has received aids, which aids the citizen has received, the loan period for the aid, the citizen's rehabilitation course, e.g. when the person has trained and whether the training course has been completed. The Danish Data Protection Authority therefore assumes that both training and operation of the AI solution will involve the processing of personal data and special categories of personal data, including health information. 3.1. The Data Protection Regulation It is the Danish Data Protection Authority's assessment that it is in particular the data protection regulation's article 6, subsection 1, letter e, on the exercise of public authority, which is a relevant basis for the processing of personal data in connection with the development and operation of the AI solution.[1] Processing of personal data on the basis of the data protection regulation, article 6, subsection 1, letter e, requires that there is a so-called supplementary legal basis which obliges or entitles the authority to carry out a specific authority task. It follows from the regulation's article 6, subsection 2 and 3. Furthermore, it is the Danish Data Protection Authority's assessment that the ban on the processing of special categories of personal data in the data protection regulation's article 9, subsection 1, will be able to deviate according to the data protection regulation, article 9, subsection 2, letter g. The provision states that the prohibition under subsection 1, does not apply if processing is necessary for reasons of significant public interest on the basis of EU law or the national law of the Member States and is proportionate to the objective pursued, respects the essential content of the right to data protection and ensures appropriate and specific measures to protect the data subject's fundamental rights and interests. A deviation from the prohibition in the data protection regulation, article 9, subsection 1, according to the regulation's article 9, subsection 2, letter g, presupposes, as is the case with article 6, paragraph 1, letter e, that there is a supplementary legal basis. 3.2. Requirements for the supplementary legal basis Article 6 of the Data Protection Regulation, subsection 3, contains several requirements for the supplementary legal basis, which must therefore meet certain criteria. Firstly, it is required according to Article 6, paragraph 3, 1st point, that the basis for the processing must appear from EU law or national law. It appears from preamble consideration no. 45 that the data protection regulation does not imply that a specific law is required for each individual processing pursuant to Article 6, subsection 1, letter e. A law may be sufficient as a basis for several data processing activities. However, there is a requirement that processing according to the provision takes place on the basis of EU law or national law. Furthermore, it follows from preamble no. 41 to the data protection regulation that the legal basis in question does not necessarily require a law, but that the legal basis should be clear and precise, and the scope should be predictable for persons covered by the scope of the legal basis. From the Ministry of Justice's report no. 1565/2017, pp. 132f. the following appears about the regulation's article 6, subsection 1, letter e: "In this connection, it must be assumed that Article 6, subsection 1, letter e, is directly applicable as a basis for processing, as long as the data controller performs a task in the interest of society or which falls under the exercise of public authority, which the data controller has been assigned. The use of Article 6, subsection 1, letter e, as a basis for processing, thus does not require national, implementing legislation on the actual processing of personal data in connection with the performance of tasks in the interest of society or as part of the exercise of public authority. The use of Article 6, subsection 1, letter e, does not necessarily require that the task, which requires the processing of personal data, is expressly assigned to the authority in the legislation. In this connection, reference can be made to [The Danish Data Protection Authority's statement in the case with j.no. 2004-54-1394], where the inspection found it natural that the Ministry of Education, as the central authority in the area, solved a task regarding digital registration for and application for admission to education programs, even though there was no express legal authority that tasked the ministry with the task. The ministry could therefore use i.a. § 6 pieces. 1, no. 5, in the Personal Data Act on processing that is necessary for the performance of a task in the interest of society.” In addition, the following appears from p. 160 of the report on the regulation's article 6, subsection 3: "It also follows from the regulation's article 6, subsection 3, 2nd point, specifically regarding processing referred to in Article 6, subsection 1, letter e – i.e. for the purpose of carrying out a task in the interest of society or which falls under the exercise of public authority - that the processing must be "necessary for the performance of a task in the interest of society or which falls under the exercise of public authority". Here, too, it must be sufficient for the fulfillment of this necessity requirement that it can be derived from the relevant national law with its preamble, provided that the processing is actually "necessary". In Article 6, subsection 3, last indent, there is an additional requirement for the legislation that adapts the application of the data protection regulation. There is a requirement that the national law of the Member States must fulfill an objective in the interest of society and be proportionate to the legitimate aim pursued. The Data Protection Regulation thus establishes a requirement for proportionality and observance of the public interest in connection with national law and EU law, which adapts the application of the Data Protection Regulation.” Finally, the European Court of Justice states the following in its judgment of 24 February 2022 in case C-175/20[2]: "In this regard, it is nevertheless noted that the legislation which forms the basis for the processing, in order to fulfill the requirement of proportionality, which Article 5, paragraph 1, letter c), [...] is an expression of [...], must lay down clear and precise rules that regulate the scope and application of the measure in question, and that establish minimum requirements, so that the persons whose personal data are affected have adequate safeguards that enable this information to be effectively protected against the risk of misuse. This legislation must be legally binding in national law and, in particular, specify the circumstances and under which conditions a measure can be adopted on the processing of such information, thereby ensuring that the intervention is limited to what is strictly necessary” The requirement for the clarity of the supplementary legal basis in question thus generally depends on how intrusive the processing of personal data that takes place in the solution will be for the citizen. If it is a completely harmless treatment, the requirements will be less than if it is an intrusive treatment, where greater demands are placed on the clarity of the legal basis. In this connection, the following appears from the Danish Data Protection Authority's guidance on the use of artificial intelligence by public authorities (Before You Get Started)[3]: "The requirements for the clarity of the legal basis, which must form the background for your processing of personal data when operating an AI solution, depend on how intrusive the processing is for citizens. In the Data Protection Authority's view, the legal basis must be assessed based on how direct and intrusive e.g. a decision or activity is for the citizens. This applies regardless of whether the activity is burdensome or beneficial. The legal basis must be proportionate to the legitimate purpose pursued, and the processing must not be more intrusive than necessary. In the Data Protection Authority's view, there are different requirements for the clarity of the relevant legal basis for the development and operation of the solution. As mentioned above, developing an AI solution as an overriding starting point does not have direct consequences for citizens. By contrast, an AI solution in operation is expected to generate predictions, recommendations, etc., such as must be decision support for the authority's case handlers. It may also be that an AI solution must make automatic decisions towards citizens. The consequences for citizens are thus often greater when the AI solution is in operation, and higher demands are therefore placed on the clarity of the legal basis that forms the basis for using the solution in operation. In the assessment of whether the legal basis that you have identified is sufficiently clear, you should include what information is processed and about which persons, including e.g. vulnerable citizens. In addition, you must include whether the relevant prediction, decision, etc., which the AI solution generates, has an impact on the citizen's economic, educational, social, health or similar conditions.[4] The impact can be both positive and negative. Finally, you should consider whether the treatment in question, including the fact that the treatment takes place using AI, is predictable and transparent for the citizen.” 3.3. The Service Act It follows from Section 86 of the Social Services Act[5] that the municipal council must offer rehabilitation to remedy physical impairment caused by illness that is not treated in connection with hospitalisation. According to paragraph 1 of the provision 2, the municipal council must also offer help to maintain physical or mental skills to persons who, due to reduced physical or mental functioning or special social problems, need this. Furthermore, section 112 of the Social Services Act states that the municipal council must provide support for aids to persons with permanently impaired physical or mental functioning, when the aid (i) can significantly remedy the lasting consequences of the impaired functioning, (ii) can significantly facilitate daily life at home or (iii) is necessary for the person concerned to exercise a profession. From the comments to §§ 86 and 112 to the proposal for an act on social services (Folketingstidende 2004-05 (2nd collection), appendix A, bill of 24 February 2005, sp. 2160 and 2163) it appears that both provisions are a continuation of the (then) applicable provisions §§ 73 a and 97 of the Social Services Act. 73 a of the Act on Social Services was inserted by Act No. 1307 of 20 December 2000 on the Act on Amendments to the Act on Social Services (Flexible Home Care and Municipal Rehabilitation). Furthermore, Section 97 of the Social Services Act was inserted by Act No. 454 of 10 June 1997 on social services. It is not clear from the preparatory work for these provisions how the municipality will specifically carry out these tasks. As far as section 73 a is concerned, it appears from the preparatory work for the provision that the municipality must "offer rehabilitation after a concrete individual assessment of the need. The aim is, as far as possible, to regain the lost functional capacity. When it makes a decision, the municipality has a duty to include all possibilities for help according to the social legislation." In addition, the drafters of the provisions are not seen to mention in detail how personal data must be processed as part of the municipalities' performance of tasks under these provisions or the relationship to the data protection rules in general, just as section 97 of the Social Services Act was introduced before the data protection directive[6] was implemented in Danish law by the Personal Data Act[7]. Finally, the following generally appears from the preparations for Act No. 573 of 24 June 2005 on social services (Folketingstidende 2004-05 (2nd collection), appendix A, sp. 2145), which is the most recent main act: "The Ministry of Social Affairs has reviewed the bill with a view to assessing the relationship with the Personal Data Act and assesses that data exchange can take place within the framework of the Personal Data Act." The relationship with the data protection rules is not otherwise mentioned in the preparations for the main act from 2005. 3.4. The Danish Data Protection Authority's assessment It is the Danish Data Protection Authority's assessment that the development, operation and retraining of an AI solution where personal data and special categories of personal data are processed with the aim of predicting citizens' need for and benefit from rehabilitation in order to avoid functional impairment can generally be done on the basis of the data protection regulation's article 6 pieces. 1, letter e, and Article 9, subsection 2, letter g. 3.4.1. Development, including retraining, of the solution Processing of personal data for the development of an AI solution with a view to predicting the need for and benefit from citizens' training and rehabilitation can, according to the Danish Data Protection Authority's assessment, be done with reference to the provisions in question in the Services Act, which obliges the municipality to make a decision on training and rehabilitative efforts , cf. the data protection regulation's article 6, subsection 1, letter e, and Article 9, subsection 2, letter g, in smh. with Article 6, subsection 2 and 3. The Danish Data Protection Authority has in particular emphasized that the development of the solution does not entail direct consequences for citizens. Public authorities can thus often, within the framework of the legislation that obligates or entitles the authority to carry out a specific task, design, develop and test AI solutions that can support the authority in carrying out this task. However, as part of the assessment of whether an AI solution should be developed, authorities should carry out an overall assessment of the entire life cycle of the AI solution to ensure that the authorities have also identified a possible processing basis for putting the solution into operation afterwards, or whether as part of the development project, it is necessary to take steps to provide a processing basis for operating the solution, e.g. in that a decision is made on the part of the legislator as to whether clear national rules must be laid down, which can constitute the necessary supplementary legal basis according to the data protection regulation's article 6, subsection 2 and 3, for operation of the solution. 3.4.2. Operation of the solution The Danish Data Protection Authority assumes that personal data during the operation of the solution will be processed with a view to producing a prediction of whether a citizen needs and will benefit from training and rehabilitation pursuant to § 86 and § 112 of the Service Act. The Danish Data Protection Authority notes that the use of AI solutions cannot generally be said to be intrusive towards the citizen. However, using AI solutions to solve or support the solution of citizen-oriented authority tasks will often be intrusive for citizens. This applies, among other things, to when such solutions are used as decision support in administrative proceedings. According to the information, the AI solution does not intend to deprive citizens of the opportunity to be offered training or rehabilitative efforts. Regardless of the fact that the treatment will not necessarily have negative consequences for the citizen – and may even have positive consequences depending on the circumstances – it will be the case that the solution produces a (decision-supporting) prediction about the individual citizen, which the authority will act on and influence the citizen's health situation. It is noted below that the use of AI solutions for decision support entails a risk of the employees attaching greater importance to the solution's assessment of a case than their own assessment, which constitutes an additional risk for the citizen. In addition, the processing of large amounts of personal data and of sensitive personal data speaks for considering the processing as intrusive. It is, among other things, often the case when using AI solutions. Therefore, the use of AI as part of the case management, as is the case in this case, has an impact on how clear the supplementary national legal basis must be. This is because the use of AI i.a. means that AI solutions can learn, find connections and carry out probability analyzes and draw conclusions far beyond what a physical case manager would be able to do. The use of AI in administrative case processing is thus fundamentally different from the traditional human case processing that has been the norm until now. This speaks for greater demands being made on the clarity of the national supplementary legal basis. In other words, there are not necessarily less demands on the national legal basis solely as a result of the fact that, according to the information, the treatment in question does not have negative consequences for the citizen. It is also noted that it will not necessarily be predictable and transparent for the citizen that his potential need for and benefit from training and rehabilitation is assessed using an AI solution. In addition, it must be emphasized that the target group whose personal data is to be processed – citizens whose health is in a situation that necessitates an assessment of a potential need for training in order to avoid functional impairment – is a vulnerable target group. Against this background, it is the Danish Data Protection Authority's assessment that a clear supplementary national legal basis is required for the operation of a decision-supporting AI solution that predicts citizens' needs for and benefit from training and rehabilitative efforts. In this connection, the Danish Data Protection Authority's assessment is that § 86 and § 112 of the Service Act are in the nature of provisions which only generally oblige municipalities to carry out certain tasks and in this connection require the processing of personal data for the purpose of carrying out these tasks. However, neither the provisions nor the processors for this mention the scope of the processing of personal data that can take place to carry out these tasks, including whether - and to what extent - personal data can be processed in the way that will be the case when using the AI in question -solution. It is thus the Danish Data Protection Authority's assessment that the mentioned provisions in the Service Act do not constitute a sufficient supplementary national legal basis for the operation of the solution in question. [1] For the background to this, please refer to the Danish Data Protection Authority's statement on the Asta tool, which can be accessed on the Danish Data Protection Authority's website here: Statement from the Danish Data Protection Authority: Municipal authorities' authority for the AI profiling tool Asta [2] C-175/20, Valsts eizumenu dienests, paragraph 83. [3] The Norwegian Data Protection Authority's guidance on the use of artificial intelligence by public authorities (Before you get started), October 2023, p. 31. [4] Preambular Recital No. 75 to the Data Protection Regulation. [5] Legislative Decree No. 1089 of 16 August 2023 on social services. [6] European Parliament and Council Directive 95/46/EC of 24 October 1995 on the protection of natural persons with regard to the processing of personal data and on the free exchange of such data. [7] Act No. 429 of 31 May 2000 on the processing of personal data with later amendments. The Norwegian Data Protection Authority Carl Jacobsens Vej 35 2500 Valby Tel. 33 19 32 00 dt@datatilsynet.dk About us About the Norwegian Data Protection AuthorityPresseHome pagePrivacy policyAvailability statement Shortcuts Guidance on GDPRCall usNewsletterThe National Whistleblower Scheme follow us The Norwegian Data Protection Authority on LinkedIn Statement on the basis of treatment for the development and operation of AI solutions within the health and care sector Date: 17-11-2023 Decision Public authorities Response to inquiry Processing basis At the request of Copenhagen Municipality, the Danish Data Protection Authority has assessed whether the municipality has the authority to develop, operate and retrain an AI solution that can identify citizens in need of maintenance training and rehabilitative efforts. Journal number: 2023-212-0015. 1. The inquiry On 22 March 2023, the Municipality of Copenhagen requested the Danish Data Protection Authority for an assessment of whether the municipality is authorized to develop, operate and retrain an AI solution that can identify citizens in need of maintenance training and rehabilitative efforts. It should be noted at the outset that the Danish Data Protection Authority has only assessed the question of whether the Municipality of Copenhagen has a processing basis for the development, operation and retraining of the solution in question. The Danish Data Protection Authority has thus not looked further into any other data protection law or health law issues. 2. The Danish Data Protection Authority's assessment It is the Danish Data Protection Authority's assessment that the development, operation and retraining of an AI solution where personal data and special categories of personal data are processed with the aim of predicting citizens' need for and benefit from rehabilitation in order to avoid functional impairment can generally be done on the basis of the data protection regulation's article 6 pieces. 1, letter e, and Article 9, subsection 2, letter g. However, both provisions require a so-called supplementary national legal basis. Processing of personal data for the development, including retraining, of the solution can, in the Danish Data Protection Authority's assessment, be done with reference to the existing provisions in the Services Act, which obliges the municipality to make a decision on and deliver maintenance training and rehabilitative efforts. Processing of personal data as part of the operation of the solution cannot, however, take place within the framework of these provisions, as there is not a sufficiently clear legal basis in light of how intrusive a processing activity is. This assessment is explained in more detail below. 3. The background for the assessment The Municipality of Copenhagen has stated that, based on its own data, the municipality wishes to develop, commission and retrain an AI solution that can identify citizens in need of maintenance training. The solution will be used as decision support by case managers in the municipality's health and care administration. The municipality has provided the following information about the purpose of the AI solution: "With the project, [the municipality] wants to use two algorithms to maintain the citizens' functional level for as long as possible for the benefit of the citizen himself. This is also beneficial for [the municipality], because it can postpone the citizens' need for help from the administration. The purpose is thus to ensure that citizens receive the right maintenance training or rehabilitative efforts in a timely manner so that they can manage on their own for as long as possible, and that the need for help from the administration is postponed. The algorithm is not intended to result in persons who would normally be offered this training or rehabilitation being deprived of this opportunity. It is intended to help the municipality's staff, so that more citizens - where relevant - can benefit from training and rehabilitation." Copenhagen Municipality has also provided the following information about the AI solution: "The algorithm constitutes a decision support tool. The algorithm can identify with relatively high accuracy which citizens can complete a training course and who will benefit from the course. The algorithm must thus, on the basis of a statistically based analysis, support the individual visitor's professional assessment of which citizens will benefit from maintenance training or a rehabilitative effort. The algorithm is intended as an aid to support the employees in [the municipality's] assessment of who can benefit from the rehabilitation course. [...] The algorithm must then be trained on [the municipality's] information. It is intended that information for training the algorithm should come from historical cases.” Finally, Copenhagen Municipality has generally stated that personal data originating from three general situations will be processed: "Personal information included in cases which also constitute patient records. It concerns information from cases from the municipal nursing service. It can also be information from training places, e.g. therapists. [The municipality] is also responsible for preventive measures according to Section 119 of the Health Act, and in this connection there are also cases where information is included that is part of a patient record. Personal information received by the visitation in order to be able to award a benefit in accordance with the Service Act. [The municipality] inspects and makes a decision on the allocation of benefits in accordance with certain provisions of the Services Act. This primarily concerns benefits for citizens over 65 years of age. However, all cancer patients will be examined and a decision made in [the municipality]. Personal information necessary to be able to carry out the task of providing the assigned service from the visitation. In addition, [the municipality] also has a large number of personal data that is used as part of the actual implementation of the decisions made pursuant to section 2. This personal data is processed so that it is possible for e.g. the home care and the rehabilitation centers to carry out their tasks.” There will thus, among other things, be processed personal data about: The citizen's social security number, age, date of birth and gender, whether the citizen has been offered rehabilitation by a helper, whether the citizen has received aids, which aids the citizen has received, the loan period for the aid, the citizen's rehabilitation course, e.g. when the person has trained and whether the training course has been completed. The Danish Data Protection Authority therefore assumes that both training and operation of the AI solution will involve the processing of personal data and special categories of personal data, including health information. 3.1. The Data Protection Regulation It is the Danish Data Protection Authority's assessment that it is in particular the data protection regulation's article 6, subsection 1, letter e, on the exercise of public authority, which is a relevant basis for the processing of personal data in connection with the development and operation of the AI solution.[1] Processing of personal data on the basis of the data protection regulation, article 6, subsection 1, letter e, requires that there is a so-called supplementary legal basis which obliges or entitles the authority to carry out a specific authority task. It follows from the regulation's article 6, subsection 2 and 3. Furthermore, it is the Danish Data Protection Authority's assessment that the ban on the processing of special categories of personal data in the data protection regulation's article 9, subsection 1, will be able to deviate according to the data protection regulation, article 9, subsection 2, letter g. The provision states that the prohibition under subsection 1, does not apply if processing is necessary for reasons of significant public interest on the basis of EU law or the national law of the Member States and is proportionate to the objective pursued, respects the essential content of the right to data protection and ensures appropriate and specific measures to protect the data subject's fundamental rights and interests. A deviation from the prohibition in the data protection regulation, article 9, subsection 1, according to the regulation's article 9, subsection 2, letter g, presupposes, as is the case with article 6, paragraph 1, letter e, that there is a supplementary legal basis. 3.2. Requirements for the supplementary legal basis Article 6 of the Data Protection Regulation, subsection 3, contains several requirements for the supplementary legal basis, which must therefore meet certain criteria. Firstly, it is required according to Article 6, paragraph 3, 1st point, that the basis for the processing must appear from EU law or national law. It appears from preamble consideration no. 45 that the data protection regulation does not imply that a specific law is required for each individual processing pursuant to Article 6, subsection 1, letter e. A law may be sufficient as a basis for several data processing activities. However, there is a requirement that processing according to the provision takes place on the basis of EU law or national law. Furthermore, it follows from preamble no. 41 to the data protection regulation that the legal basis in question does not necessarily require a law, but that the legal basis should be clear and precise, and the scope should be predictable for persons covered by the scope of the legal basis. From the Ministry of Justice's report no. 1565/2017, pp. 132f. the following appears about the regulation's article 6, subsection 1, letter e: "In this connection, it must be assumed that Article 6, subsection 1, letter e, is directly applicable as a basis for processing, as long as the data controller performs a task in the interest of society or which falls under the exercise of public authority, which the data controller has been assigned. The use of Article 6, subsection 1, letter e, as a basis for processing, thus does not require national, implementing legislation on the actual processing of personal data in connection with the performance of tasks in the interest of society or as part of the exercise of public authority. The use of Article 6, subsection 1, letter e, does not necessarily require that the task, which requires the processing of personal data, is expressly assigned to the authority in the legislation. In this connection, reference can be made to [The Danish Data Protection Authority's statement in the case with j.no. 2004-54-1394], where the inspection found it natural that the Ministry of Education, as the central authority in the area, solved a task regarding digital registration for and application for admission to education programs, even though there was no express legal authority that assigned the task to the ministry. The ministry could therefore use i.a. § 6 pieces. 1, no. 5, in the Personal Data Act on processing that is necessary for the performance of a task in the interest of society.” In addition, the following appears from p. 160 of the report on the regulation's article 6, subsection 3: "It also follows from the regulation's article 6, subsection 3, 2nd point, specifically regarding processing referred to in Article 6, subsection 1, letter e – i.e. for the purpose of carrying out a task in the interest of society or which falls under the exercise of public authority - that the processing must be "necessary for the performance of a task in the interest of society or which falls under the exercise of public authority". Here, too, it must be sufficient for the fulfillment of this requirement of necessity that it can be derived from the relevant national law with its preamble, on the condition that the processing is actually "necessary". In Article 6, subsection 3, last indent, there is an additional requirement for the legislation that adapts the application of the data protection regulation. There is a requirement that the national law of the Member States must fulfill an objective in the interest of society and be proportionate to the legitimate aim pursued. The Data Protection Regulation thus establishes a requirement for proportionality and observance of the public interest in connection with national law and EU law, which adapts the application of the Data Protection Regulation.” Finally, the European Court of Justice states the following in its judgment of 24 February 2022 in case C-175/20[2]: "In this regard, it is nevertheless noted that the legislation which forms the basis for the processing, in order to meet the requirement of proportionality, as Article 5, paragraph 1, letter c), [...] is an expression of [...], must lay down clear and precise rules that regulate the scope and application of the measure in question, and that set minimum requirements, so that the persons whose personal data are affected have adequate safeguards that enable this information to be effectively protected against the risk of misuse. This legislation must be legally binding in national law and, in particular, indicate in what circumstances and under what conditions a measure on the processing of such information can be adopted, thereby ensuring that the intervention is limited to what is strictly necessary” The requirement for the clarity of the supplementary legal basis in question thus generally depends on how intrusive the processing of personal data that takes place in the solution will be for the citizen. If it is a completely harmless treatment, the requirements will be less than if it is an intrusive treatment, where greater demands are placed on the clarity of the legal basis. In this connection, the following appears from the Danish Data Protection Authority's guidance on the use of artificial intelligence by public authorities (Before You Get Started)[3]: "The requirements for the clarity of the legal basis, which must form the background for your processing of personal data when operating an AI solution, depend on how intrusive the processing is for citizens. In the Data Protection Authority's view, the legal basis must be assessed based on how direct and intrusive e.g. a decision or activity is for the citizens. This applies regardless of whether the activity is burdensome or beneficial. The legal basis must be proportionate to the legitimate purpose pursued, and the processing must not be more intrusive than necessary. In the Data Protection Authority's view, there are different requirements for the clarity of the relevant legal basis for the development and operation of the solution. As mentioned above, developing an AI solution as an overriding starting point does not have direct consequences for citizens. By contrast, an AI solution in operation is expected to generate predictions, recommendations, etc., such as must be decision support for the authority's case handlers. It may also be that an AI solution must make automatic decisions towards citizens. The consequences for citizens are thus often greater when the AI solution is in operation, and higher demands are therefore placed on the clarity of the legal basis that forms the basis for using the solution in operation. In the assessment of whether the legal basis that you have identified is sufficiently clear, you should include which information is processed and about which persons, including e.g. vulnerable citizens. In addition, you must include whether the relevant prediction, decision, etc., which the AI solution generates, has an impact on the citizen's economic, educational, social, health or similar conditions.[4] The impact can be both positive and negative. Finally, you should consider whether the treatment in question, including the fact that the treatment takes place using AI, is predictable and transparent for the citizen.” 3.3. The Service Act It follows from Section 86 of the Social Services Act[5] that the municipal council must offer rehabilitation to remedy physical impairment caused by illness that is not treated in connection with hospitalization. According to paragraph 1 of the provision 2, the municipal council must also offer help to maintain physical or mental skills to persons who, due to reduced physical or mental functioning or special social problems, need this. Furthermore, section 112 of the Social Services Act states that the municipal council must provide support for aids to persons with permanently impaired physical or mental functioning, when the aid (i) can significantly remedy the lasting consequences of the impaired functioning, (ii) can significantly facilitate daily life at home or (iii) is necessary for the person concerned to exercise a profession. From the comments to §§ 86 and 112 to the proposal for an act on social services (Folketingstidende 2004-05 (2nd collection), appendix A, bill of 24 February 2005, sp. 2160 and 2163) it appears that both provisions are a continuation of the (then) applicable provisions §§ 73 a and 97 of the Social Services Act. 73 a of the Act on Social Services was inserted by Act No. 1307 of 20 December 2000 on the Act on Amendments to the Act on Social Services (Flexible Home Care and Municipal Rehabilitation). Furthermore, Section 97 of the Social Services Act was inserted by Act No. 454 of 10 June 1997 on social services. It is not clear from the preparatory work for these provisions how the municipality will specifically carry out these tasks. As far as section 73 a is concerned, it appears from the preparatory work for the provision that the municipality must "offer rehabilitation after a concrete individual assessment of the need. The aim is, as far as possible, to regain the lost functional capacity. When it makes a decision, the municipality has a duty to include all possibilities for help according to the social legislation.” In addition, the drafters of the provisions are not seen to mention in detail how personal data must be processed as part of the municipalities' performance of tasks under these provisions or the relationship to the data protection rules in general, just as section 97 of the Social Services Act was introduced before the data protection directive[6] was implemented in Danish law by the Personal Data Act[7]. Finally, the following generally appears from the preparations for Act No. 573 of 24 June 2005 on social services (Folketingstidende 2004-05 (2nd collection), appendix A, sp. 2145), which is the most recent main act: "The Ministry of Social Affairs has reviewed the bill with a view to assessing the relationship with the Personal Data Act and assesses that data exchange can take place within the framework of the Personal Data Act." The relationship with the data protection rules is not otherwise mentioned in the preparations for the main act from 2005. 3.4. The Danish Data Protection Authority's assessment It is the Danish Data Protection Authority's assessment that the development, operation and retraining of an AI solution where personal data and special categories of personal data are processed with the aim of predicting citizens' need for and benefit from rehabilitation in order to avoid functional impairment can generally be done on the basis of the data protection regulation's article 6 pieces. 1, letter e, and Article 9, subsection 2, letter g. 3.4.1. Development, including retraining, of the solution Processing of personal data for the development of an AI solution with a view to predicting the need for and benefit from citizens' training and rehabilitation can, according to the Danish Data Protection Authority's assessment, be done with reference to the provisions in question in the Services Act, which obliges the municipality to make a decision on training and rehabilitative efforts , cf. the data protection regulation's article 6, subsection 1, letter e, and Article 9, subsection 2, letter g, in smh. with Article 6, subsection 2 and 3. The Danish Data Protection Authority has in particular emphasized that the development of the solution does not entail direct consequences for citizens. Public authorities can thus often, within the framework of the legislation that obligates or entitles the authority to carry out a specific task, design, develop and test AI solutions that can support the authority in carrying out this task. However, as part of the assessment of whether an AI solution should be developed, authorities should carry out an overall assessment of the entire life cycle of the AI solution to ensure that the authorities have also identified a possible processing basis for putting the solution into operation afterwards, or whether as part of the development project, it is necessary to take steps to provide a processing basis for operating the solution, e.g. in that a decision is made on the part of the legislator as to whether clear national rules must be laid down, which can constitute the necessary supplementary legal basis according to the data protection regulation's article 6, subsection 2 and 3, for operation of the solution. 3.4.2. Operation of the solution The Danish Data Protection Authority assumes that personal data during the operation of the solution will be processed with a view to producing a prediction of whether a citizen needs and will benefit from training and rehabilitation pursuant to § 86 and § 112 of the Service Act. The Danish Data Protection Authority notes that the use of AI solutions cannot generally be said to be intrusive towards the citizen. However, using AI solutions to solve or support the solution of citizen-oriented authority tasks will often be intrusive for citizens. This applies, among other things, to when such solutions are used as decision support in administrative proceedings. According to the information, the AI solution does not intend to deprive citizens of the opportunity to be offered training or rehabilitative efforts. Regardless of the fact that the treatment will not necessarily have negative consequences for the citizen – and may even have positive consequences depending on the circumstances – it will be the case that the solution produces a (decision-supporting) prediction about the individual citizen, which the authority will act on and influence the citizen's health situation. It is noted below that the use of AI solutions for decision support entails a risk of the employees attaching greater importance to the solution's assessment of a case than their own assessment, which constitutes an additional risk for the citizen. In addition, the processing of large amounts of personal data and of sensitive personal data speaks for considering the processing as intrusive. It is, among other things, often the case when using AI solutions. Therefore, the use of AI as part of the case management, as is the case in this case, has an impact on how clear the supplementary national legal basis must be. This is because the use of AI i.a. means that AI solutions can learn, find connections and carry out probability analyzes and draw conclusions far beyond what a physical case manager would be able to do. The use of AI in administrative case processing is thus fundamentally different from the traditional human case processing that has been the norm until now. This speaks for greater demands being made on the clarity of the national supplementary legal basis. In other words, there are not necessarily less demands on the national legal basis solely as a result of the fact that, according to the information, the treatment in question does not have negative consequences for the citizen. It is also noted that it will not necessarily be predictable and transparent for the citizen that his potential need for and benefit from training and rehabilitation is assessed using an AI solution. In addition, it must be emphasized that the target group whose personal data is to be processed – citizens whose health is in a situation that necessitates an assessment of a potential need for training in order to avoid functional impairment – is a vulnerable target group. Against this background, it is the Danish Data Protection Authority's assessment that a clear supplementary national legal basis is required for the operation of a decision-supporting AI solution that predicts citizens' needs for and benefit from training and rehabilitative efforts. In this connection, the Danish Data Protection Authority's assessment is that § 86 and § 112 of the Service Act are in the nature of provisions which only generally oblige municipalities to carry out certain tasks and in this connection require the processing of personal data for the purpose of carrying out these tasks. However, neither the provisions nor the processors for this mention the scope of the processing of personal data that can take place to carry out these tasks, including whether - and to what extent - personal data can be processed in the way that will be the case when using the AI in question -solution. It is thus the Danish Data Protection Authority's assessment that the mentioned provisions in the Service Act do not constitute a sufficient supplementary national legal basis for the operation of the solution in question. [1] For the background to this, please refer to the Danish Data Protection Authority's statement on the Asta tool, which can be accessed on the Danish Data Protection Authority's website here: Statement from the Danish Data Protection Authority: Municipal authorities' authority for the AI profiling tool Asta [2] C-175/20, Valsts eizumenu dienests, paragraph 83. [3] The Norwegian Data Protection Authority's guidance on the use of artificial intelligence by public authorities (Before you get started), October 2023, p. 31. [4] Preambular Recital No. 75 to the Data Protection Regulation. [5] Legislative Decree No. 1089 of 16 August 2023 on social services. [6] European Parliament and Council Directive 95/46/EC of 24 October 1995 on the protection of natural persons with regard to the processing of personal data and on the free exchange of such data. [7] Act No. 429 of 31 May 2000 on the processing of personal data with later amendments.