Michèle Finck (Max Planck Institute for Innovation and Competition; University of Oxford) has posted “The Limits of the GDPR in the Personalisation Context” (U. Kohl, J. Eisler (eds), Data-Driven Personalisation in Markets, Politics and Law, Cambridge University Press, 2021) on SSRN. Here is the abstract:
Personalisation is both driven by, and can produce, personal data, and thus it falls within the scope of the General Data Protection Regulation (‘GDPR’). As a consequence, the European data protection framework applies to data-driven personalisation. Yet, whereas there appears to be a general perception that data protection is suitable to function as a general legal framework for AI, it is important to remain realistic regarding both its opportunities and limitations. This chapter examines the application of certain elements of the GDPR to data-driven personalisation. There are hopes that the GPDR can serve as a general legal framework to govern the normative concerns that have emerged in relation to AI. It is, however, fundamentally inadequate to serve as a ‘general AI law’. Whereas the Regulation indeed applies to the processing of personal data, it would be erroneous to frame it as a general ‘AI law’ capable of addressing all normative concerns around personalisation.