Artificial intelligence in retail: The way forward vs. data protection?

The use of artificial intelligence is playing an increasingly important role in the digitisation of retail. According to the "Executive Summary World Robotics 2020 Industrial Robots" of the International Federation of Robotics (IFR), Germany ranks fifth worldwide in the use of industrial robots - after China, Japan, the USA and South Korea.

Not least because of the corona pandemic, retailers have been forced to find new possibilities of using AI: from the automatic disinfection of shopping trolleys in supermarkets to facial recognition when checking whether a person is wearing a mouth-nose covering. In online business, the analysis of customers’ purchasing conduct in particular is improving. The use of cookies and analysis tools on websites has become indispensable. Added to this are things such as the analysis of product evaluations, the use of chatbots and the breakup of existing data silos through profiling or their use in the context of job application processes. There are no limits to the inventive imagination of the industry.

Consideration of data protection requirements

When analysing and using customer data, data protection requirements in particular must be taken into account. In principle, any processing of personal customer data must have a legal basis under data protection law. In this context, one must determine on a case-by-case basis whether the data processing is necessary, for example, for the performance of the contract, whether it represents an overriding legitimate interest or whether it requires the prior consent of the customer.

In addition, the customers in question have to be informed about the use and type of data processing through artificial intelligence pursuant to Art. 13 GDPR. In online business, this requirement is usually met through the data protection notices on the website, whereas other ways of informing customers have to be found for shops, for example by posting a notice at the entrance.

If the AI system used makes decisions itself on the basis of the data processing, such as in the case of digital pricing, the prior express consent of the data subject may have to be obtained in individual cases in accordance with Art. 22 GDPR.

In a joint statement (the so-called Hambach Declaration), the German data protection authorities expressed the view that a data protection impact assessment pursuant to Art. 35 GDPR, i. e. a documented assessment of the consequences of the envisaged processing operations for the protection of personal data, will generally be required for the use of AI systems to interact with data subjects or to assess personal aspects.

When using robots or systems that store data in the connected cloud outside the EU or EEA, appropriate safeguards must be put in place and data protection safeguards must be ensured, for example by agreeing the EU standard data protection clauses. Since the Schrems II ruling of the ECJ, however, one must also examine on a case-by-case basis whether additional measures need to be taken to ensure a level of protection that is essentially equivalent to that in the EU.

Collection of employee data

By no means does the use of artificial intelligence in retail mean that the use of human labour is no longer necessary. Software programs are written by developers, for example, and assembly and maintenance work in particular is carried out by engineers. This often requires the personal identification of the employee, which means that personal data is also collected by the employer in this context.

The use of artificial intelligence is also on the rise in the human resources sector. Software-controlled programmes are used in particular for recruiting and selecting personnel, enabling most suitable candidates to be selected in a time and cost-saving manner.

Through the systemic processing of employee and job applicant data, conclusions can be drawn as to the employee's work approach. European data protection law also sets boundaries in this respect, however. The processing of employee data requires a specific purpose and a legal basis. Consent pursuant to Art. 6 (1) lit. a GDPR, in contrast, usually does not come into consideration in an employment relationship due to the lack of voluntariness on the part of the employee or job applicant.

If a works council has been formed at the company in question, co-determination pursuant to § 87 (1) No. 6 German Shop Constitution Act [Betriebsverfassungsgesetz, BetrVG] especially applies with regard to the monitoring of employees' performance and conduct through technical equipment. In the context of job application processes, participation and co-determination rights according to §§ 92, 93, 94 BetrVG come into consideration. In this connection, the conclusion of a mandatory shop agreement can also be used as a permission criterion of data protection law pursuant to Art. 88 GDPR in conjunction with § 26 (4) German Data Protection Act [Bundesdatenschutzgesetz, BDSG]. In this context, the legislator has now also incorporated the topic of artificial intelligence into the current draft bill of the Works Council Strengthening Act [Betriebsrätestärkungsgesetz].

Conclusion

The use of artificial intelligence is significantly defining digitisation in retail. Despite all the advantages that the use of (industrial) robots and other AI systems brings, the labour and data protection provisions should not be underestimated. Reconciling the unlimited possibility of artificial intelligence with the legal boundaries can be a balancing act in individual cases, but it is not impossible.

Back to list