Keywords
litterbugs, DNA, predicted faces, generated personal data
Abstract
In 2014, to fight the littering problem, an environmental group posted portraits of potential litterbugs on public streets. The group extracted DNA from tossed cigarettes, coffee cups, or condoms, and generated the possible likeness of individuals whose DNA was found from these items in public. Similarly, in 2017, detectives working on a cold case sent DNA found at the crime scene of a homicide and sexual assault victim from 1990 to a company that claims it ‘‘can turn DNA into a face”. Subsequently, detectives published the ‘‘predicted face” in an attempt to solicit tips from the public. In 2020, they went further. One of the detectives asked to have the ‘‘predicted face” run through a facial recognition system.
Depending on how and what ‘‘predicted faces” companies generate, many individuals can wrongfully be shamed in public or be identified as a suspect. Thus, it is critical that those data companies or data brokers (collectively, data controllers) are held accountable under the law for their data practices, including generating data about individuals. To that end, the first set of questions that should be asked, for the purpose of data protection/privacy law, are: (1) whether data generated by companies constitutes personal data; and if so (2) who is/are the data subject(s) of such generated images?
An obvious answer is the owner of the DNA because their genetic information was used to generate the face. But what about others who look similar to those faces, or who were identified or found to be like the suspect on the database of facial recognition system? Today, the issue is further complicated because generative ‘‘artificial intelligence”, or gen AI, can produce a ‘‘virtual person” that never exists on the planet but may still look like someone, while millions of actual human faces were used in the training process of that generative AI. Who is or are the data subjects of this ‘‘virtual person”?
This Article focuses on generating personal data, an increasingly critical data practice in today’s data ecosystem. It explores and analyzes how the General Data Protection Regulation (GDPR)3 might apply to, and is challenged by, such a practice.
Recommended Citation
Hideyuki Matsumi, "Generating Personal Data and the GDPR Conceptualizing, Analyzing, and Recognizing Generated Personal Data" 23:2 CJLT 239.
Included in
Computer Law Commons, Intellectual Property Law Commons, Internet Law Commons, Privacy Law Commons, Science and Technology Law Commons