On May 2022, the INAI continued a consistent trend publishing recommendations and guidelines for private and public data controllers and data processors to comply with applicable data protections laws. This time, the INAI issued recommendations for the processing of personal data deriving from the use of artificial intelligence ('the Recommendations')¹.

In Mexico, there are currently two main laws on data protection: the Federal Law on the Protection of Personal Data Held by Private Parties and the General Law on the Protection of Personal Data Held by Obliged Parties ('the Mexican Data Protection Laws'). The Recommendations take into account the principles, duties, and obligations established in the Mexican Data Protection Laws.

It shall also be noted that Mexican Data Protection Laws have not been modified nor updated since they were published, so the Recommendations have been welcomed as a means to underline that the current data protection provisions are applicable to all type of data processing activities, including the 'newest' trends.

The Recommendations are structured in eight sections: (1) glossary; (2) introduction; (3) what is AI; (4) types of AI; (5) definition of AI principles; (6) use of AI in new technologies; (7) relationship between AI and personal data protection; and (8) data protection aspects to be considered in the development and implementation of products or services using AI.

Glossary and introduction

The Recommendations provide a set of common concepts related to AI, gathered from several different sources. These concepts include 'Application Programming Interface', 'Big Data', 'Chatbots', 'Data Mining', 'Deep Learning', 'AI', 'Internet of Things', 'Machine Learning', and others.

To introduce the Recommendations, the INAI refers to certain uses of AI and the growth that AI-based services have had in Mexico in the last year, driven even by the COVID-19 pandemic. The INAI also refers to the growing number of scenarios in which automated decisions are used, and in particular to the profiling activity expressly regulated by the EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Finally, the INAI refers to the challenges posed by the ethical use of AI which, together with all of the above, supports the opportunity to produce a document that aims to 'disseminate knowledge and the relationship of AI with the fundamental right to the protection of personal data'.

What is AI?

The INAI recognises that defining AI is a difficult task, and that a unique, generally accepted definition is hard to find. Thus, the Recommendations promote a 'regional' AI definition, drafted by the Ibero-American Network of Data Protection in their own Recommendations for Data Processing and AI²:

[...] it is an umbrella concept that includes a variety of computational techniques and processes aimed at improving the ability of machines to perform many activities, ranging from algorithmic models, through machine learning systems, to deep learning techniques.

However, for these computational techniques and processes to work properly, they need to be fed with a lot of information (big data), including personal data, which will depend on the activity to be carried out using these technologies. In addition, [...] AI involves the collection, storage, analysis, processing or interpretation of huge amounts of information (big data), which is applied to generate various results, actions or behaviours by machines.

AI types and principles

Based on Arend Hintze's³ work, the Recommendations provide a list of four types of AI to consider:

• reactive machines, which are based on decisions about the present, i.e. they have no memory and therefore cannot look to the past to learn from past experiences and are unable to evolve;
• limited memory, which uses its own or transmitted previous experiences and behavioural rules and scenario information stored in its memory for decision making;
• mind theory, which provides machines with the means to interpret the expression of thoughts, emotions, and ideas, as well as to evaluate reasoning and behavioural processes; and
• self-consciousness, which theoretically can endow machines self-awareness faculties, i.e. the ability to construct a representation of themselves, their environment, and their own behaviour, and equip them with the means to foresee external behaviours and feelings according to perception, acquired knowledge, experience, and subjective characteristics of information evaluation.

Regarding AI principles, the Recommendations cite the Organisation for Economic Co-operation and Development's AI Values-based principles⁴, which include:

• inclusive growth, sustainable development, and well-being;
• human-centred values and fairness;
• transparency and explainability;
• robustness, security, and safety; and
• accountability.

Despite all these principles being important, those related to transparency, security, safety, and accountability are closely related to data protection.

Transparency and explainability

AI actors should commit to transparency and responsible disclosure regarding AI systems. To this end, they should provide meaningful information, appropriate to the context, and consistent with the state of art:

• to foster a general understanding of AI systems;
• to make stakeholders aware of their interactions with AI systems, including in the workplace;
• to enable those affected by an AI system to understand the outcome; and
• to enable those adversely affected by an AI system to challenge its outcome based on plain and easy-to-understand information on the factors, and the logic that served as the basis for the prediction, recommendation, or decision.

Security and safety

AI actors should ensure traceability, including in relation to datasets, processes, and decisions made during the AI system lifecycle, to enable analysis of the AI system's outcomes and responses to inquiry, appropriate to the context and consistent with the state of art.

AI actors should, based on their roles, the context, and their ability to act, apply a systematic risk management approach to each phase of the AI system lifecycle on a continuous basis to address risks related to AI systems, including privacy, digital security, safety, and bias.

Accountability

AI actors should be accountable for the proper functioning of AI systems and for the respect of the above principles, based on their roles and the context, and consistent with the state of art.

Use of AI in new technologies

Under this general name, the Recommendations address various scenarios and considerations related to AI, drawing on examples of existing or developing uses and technologies using AI, including:

• AI and its implications in public safety and law enforcement;
• AI in the education sector;
• e-government,
• Privacy by Design as a best practice in the development of AI products and services;
• protection of personal information in the massive analysis of data for AI;
• the protection of personal data in virtual and augmented reality technologies;
• AI and cloud computing;
• trinity: cloud computing, AI, and personal data protection; and
• the use of robotic devices with artificial intelligence in public and private sector activities.

All these topics provide an overview of several cases and considerations regarding the use of AI and the intrinsic relationship between AI and personal data processing, leading to the definitive recommendations and a checklist directed to stakeholders who want to comply with the Mexican Data Protection Laws when developing and implementing AI.

Relationship between AI and personal data protection

In order to explore the relationship between AI and personal data protection, the Recommendations use two common provisions of the Mexican Personal Data Laws: (1) data protection principles; and (2) duties/obligations.

Mexican law provides the following data protection principles:

• lawfulness, meaning that a data controller is obliged to process data complying with the Mexican laws and international legislation;
• consent, meaning that a data controller must obtain the data subjects' consent to process their data for specific purposes provided in a privacy notice;
• information, meaning that a data controller must inform the data subject of the main purposes for processing their data thorough a valid privacy notice that complies with applicable laws and regulations;
• quality, meaning that all personal data being processed must be exact, complete, relevant, correct, and updated as required to comply with the processing purpose;
• purpose, meaning that the collected personal data must be processed only for the purposes described in the privacy notice;
• fairness, meaning that processing of personal data must ensure the data subjects' interest keeping in mind their right to privacy;
• proportionality, meaning that any personal data shall only be processed if it is needed, adequate, and relevant to the purposes for which they were collected; and
• accountability, meaning that a data controller shall oversee and be held to accountable for the processing of personal data in their possession.

The regulated duties or obligations under the Mexican Personal Data Laws are: (i) security; and (ii) confidentiality.

With these principles and duties in mind, the Recommendations include a chart explaining the meaning of each principle/obligation and specific measures to comply with all of them, which are not especially different from other measures to be implemented regarding other data processing activities.

Data protection aspects to be considered in the development and implementation of products or services using AI

The more relevant content of this Recommendations comes in its last section. Through an extensive checklist, the INAI proposes several controls to verify if any given AI project or service complies with the Mexican Data Protection Laws, with a yes/no/not applicable choice of answers. For instance:

• Are you aware of the regulations governing the processing of personal data of the AI product or service you develop or use?
• Do you have faculties or attributions to carry out the processing of personal data of the AI product or service you develop or use?
• Are you certain that the personal data to be processed by the AI product or service is necessary, adequate and relevant in relation to the purposes for which it was collected?
• Are algorithms using AI periodically reviewed to ensure that they are processing accurate, complete and up-to-date data for the decision making?
• Has a risk analysis of the personal data processed by the AI product or service been performed?

To the end, this Recommendations provide a basic and general approach to what AI is, with no intentions to provide new or improved concepts or knowledge. The Recommendations aim to provide information for all type of individuals, companies, and agencies, with simple explanations and an important reminder: all data processing matters and all data processing must comply with Mexican Data Protection Laws. Furthermore, the Recommendations remind that all the technologies and any type of processing (including algorithmic processing) must respect privacy and data protection rights.

Héctor E. Guzmán Rodríguez Partner
[email protected]
Bello, Gallardo, Bonequi y García, S.C., Mexico City

1. Only available in Spanish at: https://home.inai.org.mx/wp-content/documentos/DocumentosSectorPublico/RecomendacionesPDP-IA.pdf
2. Only available in Spanish at: https://www.redipd.org/sites/default/files/2020-02/guia-recomendaciones-generales-tratamiento-datos-ia.pdf
3. See: https://hintzelab.wordpress.com/
4. Available at: https://oecd.ai/en/ai-principles