apidays Helsinki & North 2025 - AI in Privacy tech and Consent Management, Unnikrishnan Sreedhara Kurup (Gravito)

Transcript

1. AI in Privacy tech and Consent Management Unnikrishnan Sreedhara Kurup

   (Unni) Co-Founder & Lead Developer, Gravito Ltd.

2. AI vs Privacy & Consent AI adoption is surging!! ChatGPT

   reached 100 M users in 2 Months vs. Netflix’s 10 years. AI Agents working for us are a reality now! Yet every click on that button is/must still be a human decision.

3. AI vs Privacy & Consent ➢Emerging trends ➢Upcoming EU AI

   act ➢Best practices ➢Real-world use cases ➢Q&A

4. Autonomous AI agents are going mainstream Agents string actions together

   to achieve a result 1. CRUD on APIs 2. Purchase actions 3. Send e-mails 4. Many more Without a fresh prompt every new action risks “function/purpose-creep” unless the user is re-consulted and a human can override. Emerging Trends

5. Emerging Trends Remember GDPR assessments and Audits? Be prepared for

   Fundamental Rights Impact Assessment (FRIA) AI Providers Those developing or commissioning AI systems. AI Deployers Users of AI systems, excluding personal use. Importers and Distributors Entities bringing AI systems into the EU market. AI Product Manufacturers Producers of AI-enabled products. Authorised Representatives Representatives of non-EU AI providers within the EU. AI Act impacts

6. Upcoming EU AI Act Source: https://www.isaca.org/ “High-risk deployers must run

   a Fundamental Rights Impact Assessment (FRIA) on top of any GDPR assessment”

7. Practical best practices • Meaningful human oversight and progressive consent

   gathering and gating should be built into into any autonomous agent • Finnish Ombudsman says rubber-stamping will not suffice for decisions that “significantly affect rights” • Gather Consent regularly and have human oversight • Always using Hashed user identifier + consent token • Hashing a user identifier plus a consent token turns every data point into a self explanatory, regulator-ready data artefact which is “human-controlled yet AI- assisted” • Eg: IAB’s TCF V2 has the TC String that travels with every ad bid, paired with a pseudonymous cookie

8. Use cases • Simple • AI Driven site scanning for

   cookies and tags for auto classification of cookies and tags on consent banner • Plain-language privacy-notice generator and translator based on users region with out expensive translation fees • Privacy Enforcement with AI-Automated Data Retention and Deletion • Advanced • Automated DPIA / FRIA risk engine • Privacy Center with «Privacy Assistants»

9. Q&A • Do you already use AI as part of

   your business? • Beyond the cookie banner, have you mapped where these AI systems in your organisation actually touch personal data? • Do you offer users a self-service privacy centre where they can review and change their consents— or is the banner your only interface? • How are data-subject requests handled today in your organization?

10. Thank you [email protected] Connect with me