The Dutch algorithm regulator will become active from the beginning of next year. The Dutch Data Protection Authority will largely perform this task itself. The regulator must identify the risks of algorithms and set up collaborations with other regulators.
Alexandra van Huffelen of Digitization announces the official arrival of the algorithm supervisor in a letter to the House of Representatives. In it, she describes the exact tasks that the new supervisor will be assigned. The letter follows a day after Van Huffelen presented the algorithm register. The new supervisor will, among other things, look at the register as a guideline, but is not bound by it.
The algorithm supervisor will come under the authority of the Dutch Data Protection Authority. That was already known, because that intention was already included in the coalition agreement. It is striking that the current supervisor is given a lot of room to implement the algorithm supervision. With this, Van Huffelen seems to meet the wishes of the AP itself. Chairman Aleid Wolfsen has told Tweakers several times that he did not think it necessary to set up a new supervisor, because the AP already supervises algorithms if personal data are processed in them. This is the case in almost all cases when it comes to algorithms as defined by the government for the register and the regulator. In practice, the new supervisor will therefore become a new department within the AP, which the supervisor itself will still give substance to.
The Dutch Data Protection Authority will start that process from the beginning of 2023. Van Huffelen describes three tasks that the AP must take on for this supervision:
- Identifying and analyzing cross-sectoral and overarching risks and effects of algorithms and sharing knowledge about them;
- Optimizing (existing) collaborations with colleges, market regulators and government inspectorates, and mapping overarching supervision in the field of algorithms and AI;
- Coming to a joint interpretation of standards and creating an overview in legal and other frameworks.
In the first case, the watchdog must look at where algorithms may be used in society and, in particular, what risks they entail. The watchdog must then share this with other regulators, but also with citizens, companies or scientific institutes. “This gives regulators possible (new) insights into significant developments and risks,” writes Van Huffelen. That research should be made public.
The AP must also determine what an algorithm is exactlyThe question of when exactly an algorithm entails risks is currently still difficult to answer. State Secretary van Huffelen told Tweakers on Wednesday that that issue is still being fleshed out. The algorithm register that was presented at the time still referred to algorithms that ‘could have an impact on citizens’. These are, for example, algorithms with which (partly) automated decisions about citizens are taken. It will partly be the task of the new supervisor to make that definition more concrete.
The second part is that the AP must ‘optimize existing collaborations’. This concerns the supervision that is already being carried out on algorithms. Various regulators do this for their own sectors. For example, the Netherlands Authority for the Financial Markets looks at algorithms used by insurers or banks, and the Media Authority checks algorithms used in that sector. It is also up to the Dutch Data Protection Authority itself to check algorithms for all those sectors. Van Huffelen wants there to be more clarity in those collaborations.
That does not mean that the AP or the new supervisor will take over all supervision. That would be too much work. The AP must ‘optimize existing collaborations’. The AP has yet to work out what that will mean in practice.
The AP must also provide an explanation of the standard for the GDPRFinally, the new supervisor must formulate a ‘joint interpretation of standards’. The AP is already doing this with the AVG, for example. It contains concepts such as ‘legitimate interest’, but no exact description of what that means. The AP must now also explain what certain terms mean for algorithms and what they mean for companies or governments that use algorithms and what citizens can benefit from them.
In the coming year, both the Dutch Data Protection Authority and the Ministry of the Interior will further elaborate what exactly the algorithm supervisor will do. The AP will receive more money for the regulator in the coming years. Two million euros will be released for this in 2024, three million euros in 2025. From 2026, 3.6 million euros will be structurally released annually for the activities. For comparison, the AP will receive a budget of 28 million euros in 2023.
A supervisor of algorithms was one of the most important digitization positions from the coalition agreement of the Rutte IV cabinet. Various parties, from left to right, advocated such a separate supervisor. This happened after the previous Rutte III cabinet had fallen over the benefits affair, in which discriminatory algorithms were central. Earlier there was also a fuss about algorithms such as the System Risk Indication or SyRI. State Secretary van Huffelen wanted to set up the algorithm watchdog before the summer, but that was ultimately delayed.
An algorithm supervisor is also an obligation from Europe. The European Union recently passed the AI Act. It states that every member state must set up a supervisor that looks at ‘self-managing artificial intelligence’. In practice, the Dutch regulator will also continue to check other algorithms.