Will the Commission spend PLN 30 million a year applying makeup to artificial intelligence?
[version edited 8 January 2025]
[This text expands on the argument made in an article published on 14 December 2024 in Rzeczpospolita online https://www.rp.pl/opinie-prawne/art41581751-maciej-gawronski-za-30-mln-zl-rocznie-komisja-bedzie-nakladac-makijaz-sztucznej-inteligencji]
On 6 November this year, the digital edition of Rzeczpospolita published my article in which I call for not setting up a public-money incinerator in the form of an AI Commission, and instead handing the powers to supervise high-risk artificial intelligence to the Personal Data Protection Office.
On 20 November, the same outlet published a polemic by counsel Przemysław Sotowski, in which he advances a number of interesting theses. Theses I cannot leave unanswered, because they balance between demagoguery and disinformation.
A certain difficulty in arguing with the author is that, of his dozen-odd theses, only the thesis that the Commission could be named differently corresponds to reality, and none of them contains any justification. To such a degree that in one case he appeals to "the obvious obviousness." As if the author were more of a politician than a lawyer. On page 51 of our bestselling Little Book on Drafting Pleadings I call this style of writing "biblical" (perhaps a better term would be "revealed"), which on page 68 I expand as follows: "We are not the superhumanly infallible Polish prosecutor's office, nor are we politicians, to allow ourselves arguments from the obvious obviousness…, unless we have nothing substantive to use."
Let the motto of my reply therefore be what Ronald Reagan said on 12 August 1986: "The nine most terrifying words in the English language are: 'I'm from the government and I'm here to help.'"
The polemic raises the following claims: (1) that it is better for the Commission to be called a Supervision Commission rather than a Commission for Development and Security; (2) that supervision which does not punish but leads the market is better (a chieftain-like role for the regulator?); (3) that an AI Development Fund is coming for Christmas; (4) that the new office is a chance for competence (this being the diplomatically phrased verdict on the competence of the PDPO - diplomacy, of course, in the USSR style: "The third fart of Her Majesty is hereby assumed by the Embassy of the Soviet Union"); (5) that this new Commission will spot some other breakthrough technologies (so as to regulate them too?!); (6) that the PDPO protects people's individual rights while the Commission is to exercise "market supervision," and that, according to counsel, is something different; (7) that there is no research showing that artificial intelligence processes personal data; (8) that a vast share of the data processed by artificial intelligence is not personal data at all, quite the opposite; (9) that nobody wants personal data; (10) that because nobody wants personal data, privacy-protection techniques are developing; (11) that AI mostly processes personal data in matters of the makeup-advice class; (12) that it is an obvious obviousness that handing supervision over artificial intelligence to the Personal Data Protection Office would cause "the same practices to be transferred" from personal data to artificial intelligence; (13) that the rights to privacy and data protection are a small fragment of the EU Charter of Fundamental Rights reflected in the EU Artificial Intelligence Act; and (14) that they are somewhat lesser than the others.
There are also passages in the text where it is hard to interpret what is meant, such as the one where it is unclear whether the author questions that software and AI process data, or perhaps that the PDPO supervises the processing of personal data, or finally is expressing reluctance at being supervised by the PDPO. At this point all one can do is ask, after Max from Sexmission, "and maybe Curie-Skłodowska too?"
The key statement, however, is the following formulation in the polemic: "This shows, though, that the author [meaning me - my insertion] mistakenly conflates market supervision with the protection of fundamental rights."
Well, I am afraid that it is the author of the polemic who does not understand what the Artificial Intelligence Act is about.
Yes. The protection of fundamental rights. Indeed, the essence of supervising the use of artificial intelligence on the EU market is the protection of the fundamental rights of natural persons against the risks to them arising from the use of these technologies by EU market participants.
The Artificial Intelligence Act regulates the use of HIGH-RISK artificial intelligence. It is about the risk to FUNDAMENTAL RIGHTS. Whose fundamental rights? The fundamental rights of natural persons. And the GDPR is about exactly the same thing. The GDPR is meant to protect the rights and freedoms, and to oversee the risk to the rights and freedoms, of natural persons. The Artificial Intelligence Act is meant to oversee the risk to fundamental rights. What is the difference? From this perspective, none. Supervision is not supposed to focus on which technology provider will earn more on our market, nor on whether competition is fair. Supervision is to protect natural persons against the risk to their fundamental rights arising from the use of high-risk artificial intelligence.
Risk to natural persons. The misunderstanding evident in the polemic author's statements clearly stems from a misunderstanding of the GDPR itself. The GDPR is not at all about threats to privacy. It is about (all) risks to human rights and freedoms arising from the violation of privacy (including lawful violation - that is, simply from the processing of personal data). I recommend our "GDPR. A Guide with Templates" - the most popular book on the GDPR in this country. These risks may be risks of bodily injury, death, disasters, job loss, manipulation, restriction of civil rights, surveillance, fraud, denial of medical services or their reimbursement, etc. And it is precisely these threats that the Artificial Intelligence Act is concerned with. Even an inattentive reader will notice in the Artificial Intelligence Act references to the GDPR wherever it speaks of risk and impact assessment and (sic!) of the supervision of AI by data protection authorities.
Granted, risk management is much older than the GDPR, just as I am much older than the author of the polemic. What is new in risk management from the GDPR perspective, however, is that here one assesses the risk to a third party - natural persons - rather than to the organization, and assesses it in absolute terms (very vague terms, of course, but that is a different problem).
Compliance system. The GDPR rests on the concept of distributed, market-delegated risk management and chiefly ex-post supervision of how that risk is handled. The GDPR itself, however, already contains elements of the preventive system on which the Artificial Intelligence Act is based. These are codes of conduct and certification. The PDPO has already taken significant steps regarding codes of conduct and certification. Personal data protection is the only area (apart from elements of non-standardized critical infrastructure), among all the areas regulated by the Artificial Intelligence Act, that requires building a compliance-management system (risk assessment, quality management and certification). The other areas (various machines, toys, radio equipment, etc.) already have their compliance-management systems. The PDPO is right now building such compliance systems, based on the prerogatives under the GDPR and on its experience from the practice of applying the GDPR, as well as on the market knowledge it has acquired. The Edison who came up with the idea of entrusting the creation of an alternative AI-compliance system in data protection to an authority competing with the PDPO deserves a Darwin Award.
Granted, a forest is not the same as a forest of crosses. The point of that analogy, however, runs the other way. The regulation of artificial intelligence is aimed precisely at ensuring that the forest does not turn into a forest of crosses. And the GDPR - I will invoke here Jan Nowak, the former President of the Office - is not an act about personal data, but an act about the protection of natural persons. The Artificial Intelligence Act is likewise not an act about protecting the corporations developing and using artificial intelligence, but an act about protecting natural persons. To see this, however, one must take off Scrooge McDuck's spectacles.
One must also realize that, as the report "We have no science of safe AI" by David Janků, Max Reddel, Roman Yampolskiy and Jason Hausenloy forcefully argues, there are no good safety standards for artificial intelligence. The system created by the Artificial Intelligence Act consists of procedures left unfilled with content precisely in the area of personal data, and most dangerous in that very area. Why should supervision over this area go to an authority without experience and without the understanding that this is precisely about protecting fundamental rights, rather than to the authority that specializes in exactly this?
Does AI process a lot of personal data? The author of the polemic claims that there are many AI systems that do not process personal data. And that this is why privacy-protection techniques are developing, such as synthetic data, differential privacy, or "confidential computing." I am afraid that an oxymoron has hidden itself in those two sentences. Sentence no. 2 contradicts sentence no. 1. There would be no need for privacy-protection techniques if those mythical systems, supposedly not processing personal data, really did not process personal data.
The charming "there is no research" argument. The author of the polemic further claims that "there is no research" showing that AI processes personal data, except for makeup. This level of discussion is the level of MP Szejnfeld who, when at a conference I unfurled an A1-format sheet with the patent process drawn out, commented only "Eeee, not on an iPad…," or the level of sophistry known from the film "Thank You for Smoking." If we add to this the nonsense that nobody wants or likes personal data, the level drops with the crash of a piano smashed against the pavement.
The author claims that personal data is most often processed where the specifics of the product or service and the customer's need require it - for example, to fit clothing or makeup to a particular person, with their knowledge and consent. Well, if that is the state of awareness and knowledge about the operation and contemporary applications of artificial intelligence across the entire Ministry of Digital Affairs and the AI Working Group, then I am not surprised they wanted to amend a statute by way of a regulation. The only thing that worries me is such a large share, in that group, of lawyers who deal with data protection on a daily basis.
The claim that AI processes personal data mainly for the purpose of selecting makeup is unserious. Above all, however, it tells us that the proponents of creating an AI Commission have not read the Artificial Intelligence Act. Contrary to the author's suggestions, the Artificial Intelligence Act does not regulate the selection of makeup by means of artificial intelligence.
Netflix makes films, scholars write books about how Silicon Valley is built on harvesting every possible piece of personal data. Steve Jobs's famous line "Silicon Valley is not monolithic. We've always had a very different view of privacy than some of our colleagues in the Valley." only confirms this. But, as we can see, there are those who keep hiding in a cave on this matter. And it is by no means Plato's cave.
But let us return to that research that supposedly does not exist. Let us begin by looking through the first technology company that comes to hand, one starting with A - we will find mainly examples of AI being used to process personal data: in marketing, customer experience, banking, people management, data search, entertainment and so on.
Let us toss into Google, or into some AI, examples of AI use, and out of 22 only 3 (agriculture, robotics and astronomy) are not directly connected with the processing of personal data. The remaining 21 are: e-commerce, education, lifestyle, navigation, natural language, image recognition, facial recognition, human resources, health, gaming, cars, social media, marketing, chatbots, finance, cybersecurity, travel and transport, entertainment. But, but…
Studying the Scripture. The researcher's spirit ought first to prompt the author of the polemic to study the Scripture - in this case, the Artificial Intelligence Act. So what does this EU regulation regulate? The Artificial Intelligence Act regulates the kind of AI that may pose a threat to NATURAL PERSONS (NOT TO CORPORATIONS). High-risk AI, regulated by the AIA, is:
- first, systems processing personal data that are prohibited because of the threat to the rights and freedoms of natural persons (Article 5);
- second, systems posing a physical danger TO NATURAL PERSONS, from Annex I. Annex I to the AIA lists here: machinery, toys, recreational craft, lifts, protective systems for explosive atmospheres, radio equipment, pressure equipment, cableways, personal protective equipment, gas-burning appliances, medical devices, civil aviation, vehicles, marine equipment, rail interoperability, motor vehicles. All these areas already have functioning mandatory compliance-management systems;
- third, systems threatening the rights and freedoms of natural persons, from Annex III. Annex III lists: biometrics (emotion recognition, remote identification, profiling of persons), critical infrastructure (digital, road traffic, utilities), education and vocational training (admission to schools, assessment of learning progress, exams, detection of cheating), employment and worker management and access to self-employment (recruitment, decisions on promotion, dismissal, work assessment), determining people's eligibility for health and other public benefits by the administration, as well as demanding the return of such benefits, creditworthiness assessment, insurance risk and pricing assessment, prioritization of emergency calls, law enforcement (assessment of the risk of victimization, lie detection, evidence evaluation, assessment of the likelihood of recidivism, profiling of offenders, polygraphs in immigration, assessment of migrants' risk including to health, processing of asylum applications, identification of migrants), the judiciary, influencing voters' decisions. Of this several-dozen-item enumeration, every field except road traffic and utility supply relies on the processing of personal data, but even road traffic and utility supply involve significant processing of personal data.
- fourth, deepfakes (which may mislead natural persons as well as exploit natural persons' data);
- fifth, general-purpose models, which can essentially make any kind of mess and, on top of that, snoop on and profile their users (that is, process their personal data and collect other people's personal data), which of course they do.
So if a member of the AI Working Group claims that artificial intelligence processes personal data only by helping with makeup and only with the user's consent, then I am not surprised the Ministry preferred to set up its own authority, where such drivel can be cheerfully repeated.
What's it all about, what's it all about… When it is not clear what it is all about… From the leaks of information about the work on "implementing the AIA" in Poland, as well as on the basis of common sense, it is known that this tussle is about paralyzing supervision and turning it into a distribution of public cash to perpetually hungry technology companies.
The concept of "chieftain supervision" that, like Ulrich von Jungingen, will lead the charge of "Polish" artificial intelligence against the whole world, pelting technology companies with billions from the Artificial Intelligence Fund the way that sultan pelted his eunuchs with halva and peanuts, sounds straight out of Bareja's films. We will have a Commission to match our means. One that, for thirty million a year, will paint artificial intelligence's lips.
Counsel Sotowski raises the argument that public opinion will defend the Commission against degeneration. And, for reasons unknown, he invokes here the counter-example of IDEAS, where we could all see how it turned out. The media and public opinion essentially have the kind of influence described in that joke: Are you stealing from the budget? Yes. So what? Aren't you afraid someone will find out? Well, you've just found out, and so what?
Let us add that, according to the author of the polemic, the new Office is to be a modern center of competence "and a starting point for spotting further breakthrough technologies." Just as the Ministry of Labor spotted AI and wants to protect occupations from it? Then I would start with the lift operator.
But to argue for creating an AI Office on the grounds that it will look for new areas of regulation? Maybe space elevators? Mining helium on the Moon? Genetic recombination? Quantum encryption? This knack for seeking new areas of regulation, the drafters of the bill ought to flog to Ursula von der Leyen, or to that other one, the rule-of-law one, in whose home they found a mighty pile of cash (though no - there is no point teaching the children's father how to make them).
But wait, wait. Again quoting the Chairman of the Rainbow Club, "let us not mentally mix up two different monetary systems." This is not about the peanuts of thirty million zlotys, but about that legendary billion in the Artificial Intelligence Fund that, my dear sir, the Polish Development Fund is to create together with the Ministry of Digital Affairs, the Ministry of Science, the Ministry of National Defense, the Ministry of Science and Higher Education, the National Centre for Research and Development, the National Science Centre and Bank Gospodarstwa Krajowego on the basis of a letter of intent signed in November. Incidentally, with that billion (which does not, in fact, exist) the officials can at most throw some in someone's eyes and hope that it trickles back to them one way or another. With no amount of money are we able to offset the financial advantage of Silicon Valley, or of the USA in general. And the argument that we have here a fictitious supervisor will, at most, strip away trust in the state as an institution. The entire concept of squandering public cash serves chiefly those who hand it out. On the uselessness of fiscal transfers (except, that is, for those who manage them), Stefan Kawalec and Ernest Pytlarczyk write in their book "The Euro Paradox. How to Escape the Trap of the Common Currency" on pages 120 et seq., concluding: "…fiscal transfers alone do not at all accelerate the economic development of poorer countries and regions."
All the more so because, whatever this Commission may say and do, the President of the Personal Data Protection Office can, and will, issue decisions regarding the use of any technology that processes personal data. Behind the concept of producing such a PR organ as this Commission is to be, there therefore stands a true Machiavelli of departmental Poland. Perhaps the one behind family foundations?
Farting in the elevator. There is an English saying, "to fart in the elevator" - that is, to say something unpleasant that ruins the atmosphere of mutual back-patting, but is, unfortunately, true. And here I will allow myself precisely such a thing again. Well, setting up an AI Commission gives rise to one more risk - "revolving door" behavior, which led to the systemic corruption of the entire market-supervision system in the USA, with the supervision of pharmaceuticals at the forefront. It is about the back-and-forth flow of people between the regulator and the regulated market. It is known that essentially no one from the private sector can afford to become an official and tell their family that, from now on, the family budget shrinks tenfold. That is why work in the public sector is either a mission or an investment. If a mission, then for life. But if an investment, it has to pay off. And we know of cases where it did. I propose that, as with the Food and Drug Administration, the heads of IT companies should simply share terms of office in this authority. The alternative version known from the Polish market is the so-called silent partnership between the regulator and the advisers.
Only this should not happen in such a way that, while working in the public sector within the scope of our duties, we craft solutions so as to be able to cash in on it later. What is this grant for? The Maldives? And who is to be accountable for it? The supervisor? Meaning, the point is for them not to interfere? Like those who build a gate across the road on the way to a wedding? From this perspective, indeed, the PDPO never performed. Maybe that is precisely why the drafters of the AI-supervision bill dislike the vision of transferring the PDPO's practice onto the AI domain?
Sir, you don't know who I am! For dessert I have saved the "charge" that I am a personal-data-protection lawyer. I am, in fact, very pleased that the author of the polemic called me out by name, accusing me of being a personal-data-protection lawyer rather than a cybersecurity or intellectual-property lawyer or, as he put it, a lawyer dealing with the "responsible creation and use of AI." For a fair answer to the substantive issues raised by counsel Sotowski, I may, with a clear conscience, speak on my favorite subject, namely myself.
I am, above all, an IT lawyer. Some colleagues even occasionally call me, as a courtesy, an "IT guru." I have been doing IT law since 1996; from 2000, for over a dozen years, I was the lead lawyer on the largest IT project in this country, and I am currently also the lawyer on the largest IT project in this country. I have been responsible for hundreds or thousands of IT matters; I am the main point of contact for the IT teams in three consecutive companies where I worked. Regulators copied my phrasings from IT contracts into their recommendations. Foreign and domestic rankings have listed me in this category since 2006.
I am a cloud-computing lawyer. I have been doing cloud computing since 2009; I edited the study, much praised at home and abroad, of the Banking Technology Forum of the Polish Bank Association, "Cloud Computing in the Polish Banking Sector. Regulations and Standards. 2011." I dare say that the leading members of my competition began their adventure with cloud computing relying solely on references from my own projects. Oh, and as an Expert of the European Commission on Cloud Computing Contracts, I proposed a number of solutions that ultimately found their way into… the GDPR.
I am a cybersecurity lawyer. Since 2006 I have dealt with the legal aspects of business continuity and information security; I was responsible for security policies and regulations on operational incidents in banks and other financial institutions. I implemented ISO 27001 in my own organizations, audited various institutions for operational-security procedures, data protection, and compliance with the National Cybersecurity System Act. I also assessed such specific crisis-response procedures as counter-terrorism measures.
I am an intellectual-property lawyer. I deal with soft IP and hard IP. Someone with longer tenure may still remember that, as head and founder of Bird & Bird in Poland, I represented clients in many patent disputes. For some reason I have the most skill endorsements (161) on LinkedIn precisely in intellectual property. International rankings have listed me in the category of intellectual property, patent disputes and franchising since 2011.
Yes, I am a personal-data-protection lawyer. I edited the best book on the market on this subject, the No. 1 in Wolters Kluwer Polska sales in 2018 and 2019, published by Wolters Kluwer International in 2019. I was honored by the President of the Office and the Personal Data Protection Office with the M. Serzycki Award. I was an expert of the Article 29 Working Party. I am a supporting expert of the European Data Protection Board. Currently, international rankings focus on this aspect of my activity.
I am - take note - an artificial-intelligence lawyer. I have always been interested in futurology and science fiction. Since 1982 I have read several thousand titles on the subject. So I became interested in artificial intelligence some 5 years before the author of the polemic was born. On the legal aspects of AI I have so far spoken at least a dozen times at conferences and in articles (including ones published by the PDPO and the Chancellery of the Prime Minister) ever since 2019. Another article on the subject, of which I am a co-author, will appear shortly.
Incidentally, I am also a litigation lawyer. I began my practice as a student, in 1994. Over the years I appeared often before the Supreme Court and the Supreme Administrative Court. I am an arbitrator recommended by the Court of Arbitration at the Polish Chamber of Commerce. Press mentions of my appearances before the Supreme Administrative Court have been appearing since 2002. A Supreme Court judgment of 1999 in a case I handled and argued made it into LEX (a curiosity - I was a trainee at the time. Who can guess how that was possible?). With Piotr Biernatowski I wrote the most popular legal book of 2022 on litigation.
In 1999 I also worked in tax. Ah, and competition law too. There are competition-law experts who copied an entire competition-law lecture (in French) from me before they started work at the Court of Justice of the EU.
Summary. Elon Musk keeps repeating that regulations stifle American innovation, pointing also to the example of the destructive impact of regulation on the competitiveness of the EU economy ("Regulations are strangling American innovation. If we don't get this under control, our economy will stagnate"). The idea of having artificial intelligence additionally supervised by a new authority is a perfect example of over-regulation. Let us remember, at the same time, what the effects are of a lack of regulation combined with de facto self-regulation (that is, anti-competitive warfare using one's own people at the regulator) in the USA - a devastated natural environment, a shrinking average lifespan, a society addicted to opioids and other "medicines," etc.
The AIA does not strip the PDPO of its competence to supervise the processing of personal data by AI, that is, where the real battle between competitiveness, security and formalism will be waged. To make it "funnier," Article 74(8) of the AIA directly entrusts the PDPO with supervision over high-risk AI systems used in law enforcement, immigration, the administration of justice and democracy (hm, interesting. Dispensing democracy to someone has so far been the specialty of the CIA and the US Army. Ursula von der Leyen wants to join that crew by means of the Digital Services Act, and the defenders of militant democracy have already joined by annulling the presidential election in Romania, where voters evidently failed to match the rulers' preferences). Poland therefore does not face the choice "PDPO or AI Commission," but the choice "PDPO or PDPO together with the AI COMMISSION."
The idea that two parallel supervisory authorities instead of one will better support competitiveness could only have been born in an official's head.
Finally, let us note that counsel Sotowski's argumentation leads to a conclusion contrary to his thesis. How is the concept of two regulators with a vast overlapping set of competences, instead of one supervisor, supposed to serve deregulation rather than over-regulation? Only an official could have thought that up. Supervision over the whole of AI should go to the Personal Data Protection Office. The Office acts in a prudent, non-excessive and non-overzealous(?) manner. Indeed, after a year and a half I would, at last, expect from the Office some decision in the ChatGPT matter, rather than blaming the need for eternal consultations.
Let today's summary be served by the words "Deny. Defend. Depose," found on the casings of the bullets that, a few days ago, killed Brian Thompson, the CEO of the insurance company UnitedHealth, known for using the artificial-intelligence algorithm nH Predict, which is alleged to have a 90-percent error rate in rejecting elderly people's claims for therapies prescribed to them by their doctors. As we can see, Brian Thompson's murderer did, after all, make the processing of personal data by AI the heart of the matter.
Maciej Gawroński
The author is an attorney-at-law, managing partner of the law firm GP Partners, laureate of the M. Serzycki Award; he served as an expert of the European Commission on cloud-computing contracts and an expert of the Article 29 Working Party on data transfers, is a supporting expert of the European Data Protection Board, an arbitrator recommended by the Court of Arbitration at the Polish Chamber of Commerce, and the author of the most popular legal books of Wolters Kluwer Polska 2017, 2018 "GDPR. A Guide with Templates" and 2022 "The Little Book on Drafting Pleadings." He is the author of numerous talks and publications on artificial intelligence. He is conducting the first complaint in Poland against OpenAI in connection with ChatGPT.
A joint article by Jakub Rzymowski, Dominik Spałek and Maciej Gawroński on the illusory nature of bans on using AI for certain activities will appear shortly in the quarterly Prawo Nowych Technologii. The working title of the article is "The prohibitions of Article 5 of the AI Act as illusory prohibitions, or: how it is not allowed, but if you want to, you can."