<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Publishing DTD v1.3 20210610//EN" "JATS-journalpublishing1-3.dtd">
<article article-type="research-article" dtd-version="1.3" xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xml:lang="en"><front><journal-meta><journal-id journal-id-type="publisher-id">digitallaw</journal-id><journal-title-group><journal-title xml:lang="en">Journal of Digital Technologies and Law</journal-title><trans-title-group xml:lang="ru"><trans-title>Journal of Digital Technologies and Law</trans-title></trans-title-group></journal-title-group><issn pub-type="epub">2949-2483</issn><publisher><publisher-name>Kazan Innovative University named after V. G. Timiryasov</publisher-name></publisher></journal-meta><article-meta><article-id pub-id-type="doi">10.21202/jdtl.2024.7</article-id><article-id custom-type="edn" pub-id-type="custom">acxhto</article-id><article-id custom-type="elpub" pub-id-type="custom">digitallaw-374</article-id><article-categories><subj-group subj-group-type="heading"><subject>Research Article</subject></subj-group><subj-group subj-group-type="section-heading" xml:lang="en"><subject>ARTICLES</subject></subj-group><subj-group subj-group-type="section-heading" xml:lang="ru"><subject>СТАТЬИ</subject></subj-group></article-categories><title-group><article-title>Personal Data in Artificial Intelligence Systems: Natural Language Processing Technology</article-title><trans-title-group xml:lang="ru"><trans-title>Персональные данные в системах искусственного интеллекта: технология обработки естественного языка</trans-title></trans-title-group></title-group><contrib-group><contrib contrib-type="author" corresp="yes"><contrib-id contrib-id-type="orcid">https://orcid.org/0000-0003-1076-2765</contrib-id><name-alternatives><name name-style="eastern" xml:lang="ru"><surname>Ильин</surname><given-names>И. Г.</given-names></name><name name-style="western" xml:lang="en"><surname>Ilin</surname><given-names>I. G.</given-names></name></name-alternatives><bio xml:lang="ru"><p>Ильин Илья Геннадьевич – магистр права в области информационных технологий, аспирант юридического факультета</p><p>199106, г. Санкт-Петербург, 22-я линия В.О., 7</p><p>Scopus Author ID: https://www.scopus.com/authid/detail.uri?authorId=57765898000</p><p>WoS Researcher ID: https://www.webofscience.com/wos/author/record/FDF-0979-2022 </p><p>Google Scholar ID: https://scholar.google.com/citations?user=YruuMK0AAAAJ</p></bio><bio xml:lang="en"><p>Ilya G. Ilin – Master of Arts in Information Technology Law, postgraduate student, </p><p>22nd line of Vasilievsky Island, 7199106 Saint Petersburg</p><p>Scopus Author ID: https://www.scopus.com/authid/detail.uri?authorId=57765898000</p><p>WoS Researcher ID: https://www.webofscience.com/wos/author/record/FDF-0979-2022</p><p>Google Scholar ID: https://scholar.google.com/citations?user=YruuMK0AAAAJ</p></bio><email xlink:type="simple">i.g.ilin@spbu.ru</email><xref ref-type="aff" rid="aff-1"/></contrib></contrib-group><aff-alternatives id="aff-1"><aff xml:lang="ru"><institution>Санкт-Петербургский государственный университет</institution><country>Россия</country></aff><aff xml:lang="en"><institution>Saint Petersburg State University</institution><country>Russian Federation</country></aff></aff-alternatives><pub-date pub-type="collection"><year>2024</year></pub-date><pub-date pub-type="epub"><day>20</day><month>03</month><year>2024</year></pub-date><volume>2</volume><issue>1</issue><elocation-id>123–140</elocation-id><permissions><copyright-statement>Copyright &amp;#x00A9; Ilin I.G., 2024</copyright-statement><copyright-year>2024</copyright-year><copyright-holder xml:lang="ru">Ильин И.Г.</copyright-holder><copyright-holder xml:lang="en">Ilin I.G.</copyright-holder><license license-type="creative-commons-attribution" xlink:href="https://creativecommons.org/licenses/by/4.0/" xlink:type="simple"><license-p>This work is licensed under a Creative Commons Attribution 4.0 License.</license-p></license></permissions><self-uri xlink:href="https://www.lawjournal.digital/jour/article/view/374">https://www.lawjournal.digital/jour/article/view/374</self-uri><abstract><sec><title>Objective</title><p>Objective: to conceptualize, from the viewpoint of personal data protection legislation, the development of natural language processing technology, identifying possible legal barriers to such development and directions for further research of the issue.</p></sec><sec><title>Methods</title><p>Methods: the research is based on general scientific methods of cognition, along with which formal-legal and comparative-legal methods were applied, as well as the method of theoretical modeling.</p></sec><sec><title>Results</title><p>Results: it was found that the observance of personal data regime natural language processing in the development of natural language processing technology leads technology, to a conflict between private-legal and public-legal interests, which, personal data in turn, creates obstacles for further development of this technology. The shortcomings of the existing legal order are shown, namely, the insufficient correspondence to the technical features of technology development. This may lead to the risks of excessive regulation, or, on the contrary, to the risks of neglecting critical areas that require protection. Problems in qualifying the data involved in the technology development are outlined. An attempt is made to define the limits of ensuring the lawfulness of personal data processing within the natural language processing technology. The material, temporal and territorial effect of the legal regulation in this field is identified as the limits of ensuring the legality. The author touches upon the possibility of using personal data as a consideration, which is important for the development of natural language processing technology and for the improvement of the information and communication technology industry.</p></sec><sec><title>Scientific novelty</title><p>Scientific novelty: the paper supplements the scientific discussion on the legal regulation of personal data processing by artificial intelligence systems with an analysis of natural language processing technology. The latter is insufficiently studied, making it relevant to research information law, namely, the legal relations arising around artificial intelligence systems, and to assess the impact of a personal data regime on the development of natural language processing technology.</p></sec><sec><title>Practical relevance</title><p>Practical relevance: the applied aspects of the problems researched and the results obtained can be used to improve the legal regulation of public relations in the field of creation and development of artificial intelligence, as well as to identify and assess the legal risks arising in the personal data processing by developers of digital products based on natural language processing technology.</p></sec></abstract><trans-abstract xml:lang="ru"><sec><title>Цель</title><p>Цель: концептуализировать с точки зрения законодательства в области защиты персональных данных процесс развития технологии обработки естественного языка, выявив возможные правовые барьеры для такого развития и направления дальнейшего исследования проблемы.</p></sec><sec><title>Методы</title><p>Методы: в основе исследования находятся общенаучные методы познания, наряду с которыми применялись формально-юридический, сравнительно-правовой методы, а также метод теоретического моделирования.</p></sec><sec><title>Результаты</title><p>Результаты: установлено, что соблюдение режима персональных данных в процессе разработки технологии обработки естественного язык приводит к возникновению конфликта между частными и публично-правовыми интересами, что, в свою очередь, создает препятствия для дальнейшего развития обозначенной технологии. Показаны недостатки существующего правопорядка, который не в полной мере отвечает техническим особенностям развития технологии, что может привести к рискам излишнего регулирования, или же, напротив, к рискам оставления без внимания критических областей, требующих защиты. Обозначены проблемы при квалификации данных, задействованных в развитии рассматриваемой технологии. Предпринята попытка определить пределы обеспечения законности обработки персональных данных в составе технологии обработки естественного языка. Выделено в качестве пределов обеспечения законности материальное, временное и территориальное действие правового регулирования в данной области. Затрагивается проблема возможности использования персональных данных в качестве встречного представления, что является важным для развития технологии обработки естественного языка и для совершенствования отрасли информационно-коммуникационных технологий. </p></sec><sec><title>Научная новизна</title><p>Научная новизна: данная работа дополняет научную дискуссию о правовом регулировании обработки персональных данных системами искусственного интеллекта аналитикой, выполненной в контексте технологии обработки естественного языка. Невысокая степень изученности последней обуславливает необходимость исследования области информационного права в части правоотношений по созданию систем искусственного интеллекта и оценки влияния режима персональных данных на развитие технологии обработки естественного языка.</p></sec><sec><title>Практическая значимость</title><p>Практическая значимость: затрагиваемые в статье прикладные аспекты исследуемой проблематики и полученные результаты могут быть использованы для совершенствования правового регулирования общественных отношений в области создания и развития искусственного интеллекта, а также для выявления и оценки правовых рисков, возникающих при обработке персональных данных разработчиками цифровых продуктов на базе технологии обработки естественного языка.</p></sec></trans-abstract><kwd-group xml:lang="ru"><kwd>биометрические данные</kwd><kwd>законность</kwd><kwd>законодательство</kwd><kwd>искусственный интеллект</kwd><kwd>лигалтех</kwd><kwd>технология обработки естественного языка</kwd><kwd>персональные данные</kwd><kwd>право</kwd><kwd>правовой риск</kwd><kwd>цифровые технологии</kwd></kwd-group><kwd-group xml:lang="en"><kwd>artificial intelligence</kwd><kwd>biometric data</kwd><kwd>digital technologies</kwd><kwd>law</kwd><kwd>lawfulness</kwd><kwd>legal risk</kwd><kwd>LegalTech</kwd><kwd>legislation</kwd><kwd>natural language processing technology</kwd><kwd>personal data</kwd></kwd-group></article-meta></front><body><sec><title>Introduction</title><p>Natural language processing (NLP) technology is actively used in digital goods and services (digital products) to build human-computer communication (Hirschberg &amp; Manning, 2015; Truyens &amp; Van Eecke, 2014). Voice assistants, spell-checking services, text translation and voicing, voice biometrics, and interactive voice response systems are all examples of products using this technology.</p><p>The use of language and speech in information technologies opens up new prospects in artificial intelligence development, creates opportunities for the development of innovative digital products that contribute to the digital transformation of society, such as ChatGPT and its analogs, and determines the LegalTech industry development. The high economic potential and social significance of the technology, due to the importance of language for national and cultural identity (Hobsbawn, 1996), determine the interest of society, business and government in its advancement.</p><p>In turn, despite its innovative nature and socio-economic benefits of this technology, the analysis of the current legal order indicates the existence of legal obstacles to its development.</p><p>From a technical point of view, one of the main challenges for the development of natural language processing technology is the creation and subsequent dissemination of linguistic corpora (electronic speech resources). In a broad sense, linguistic corpora can be understood as databases containing a variety of texts (books, text transcriptions, translations, etc.) and audio files (audiobooks, broadcast recordings, podcasts, other audio content), which are subsequently used in machine learning algorithms (Kelli et al., 2012; Ilin, 2019). The creation of linguistic corpora involves sequentially passing two stages: language digitization  – the collection and translation of data into a machine-readable format and their subsequent intellectual analysis (text and data mining, TDM) (Jents &amp; Kelli, 2014; Ilin, 2019). Without massive linguistic corpora available, as well as without the stakeholders’ ability to access them, technology will not develop and work.</p><p>From a legal point of view, a linguistic corpus as it is and its individual elements may include personal or other data with a special legal regime, such as data protected by secret communication. Accordingly, the relations involving the creation and dissemination of linguistic corpora will be simultaneously influenced by the legislation on personal data protection and by special sectoral legislation.</p><p>The article objective is to conceptualize, from the viewpoint of personal data protection legislation, the development of natural language processing technology, to identify possible legal obstacles to such development, and to propose directions for further elaboration of the problem. The research result complements the academic discussion on the legal regulation of personal data processing by artificial intelligence systems (Sviridova, 2021; Konev, 2020; Egorova et al., 2021) by analyzing the problem in the context of this technology functioning. It can be used in practice to identify and assess the legal risks arising from the personal data processing by developers of digital products based on natural language processing technology.</p></sec><sec><title>1. Personal data within the linguistic corpus</title></sec><sec><title>1.1. Definition and legal regime</title><p>As was outlined above, a key process for the development of natural language processing technology will be the creation of linguistic corpora and their dissemination among stakeholders. Elements of a linguistic corpus can be qualified as personal data. The modern approach to the definition of the “personal data” concept, based on para. 1, Art. 3 of the Federal Law “On Personal Data”1, provides for a broad interpretation of the term and for qualifying as personal data virtually any data that directly or indirectly allow identifying a natural person. This leads to the inevitable emergence of personal data as part of a linguistic corpus.</p><p>Personal data require a special regime of legal and technical protection. In a general sense, the special legal regime of personal data, on the one hand, is aimed at ensuring the protection of rights belonging to the data subject; on the other hand, it imposes a number of restrictions on the use of such data in the creation of a linguistic corpus (Ilin, 2020). In this regard, the task of distinguishing the personal data used from other types of data will be fundamental for the creation of a linguistic corpus. In practice, this is not always possible: the boundary between personal and other data is not always clear.</p><p>First of all, there is a problem in defining the very concept of “data”. Paragraph 1 of Art. 3 of the Federal Law “On Personal Data”2 defines data as “any information...”. In turn, Art. 2 of the Federal Law “On Information, Information Technologies and Information Protection”3 defines information as “data (messages, data)...”. In other words, from the correlation of these definitions we may conclude that data is data, i.e. the concept is defined through itself. This may create difficulties when trying to determine the form in which personal data can be expressed and, consequently, to qualify a piece of information as personal data.</p><p>Second, one of the most problematic aspects in qualifying data as personal data is that the current legislation relies on a binary approach in defining the concept of personal data. According to this approach, data can be either personal or not. In the author’s opinion, the binary approach to the definition of personal data does not sufficiently take into account the current state of digitalization of society, the level of technological development, and the socio-economic changes that have occurred over the past few years. For example, such a definition does not take into account that data science and computer science distinguish different levels of possible identifiability and attribute a certain set of risks to each level (Kolain et al., 2022). In addition, it does not take into account the fact that data may be identifiable for one subject, for example, in combination with other datasets, but not for others (Oostveen, 2016).</p><p>Third, the status of data during processing can also be dynamical and not static (Purtova, 2018). In other words, during processing, data can become personalized or, conversely, lose this status. For example, during creating a linguistic corpus and a language model based on it, the personal data used may lose identity markers and thus lose the status of personal (Kelli et al., 2021). This means that, in a practical sense, data can only be qualified as personal data at a certain point in time or stage of processing, which can make it difficult to respect the legality of the entire processing.</p><p>The dynamic nature of data is of fundamental importance to and affects, firstly, distinguishing personal data from other types of data (for example, there are fewer requirements for the processing of non-personal data); secondly, it influences the choice of the processed personal data category.</p><p>Legislation in the sphere of personal data protection identifies four main categories of personal data: “general”, “biometric”, “special” or “sensitive”, and “personal data authorized for dissemination”. Biometric data refer to the biological and physiological characteristics of an individual that can be used for identification4. The special or sensitive category of data is the data that indicate “political opinions, racial or ethnic origin, philosophical or religious views, health status, or sexual orientation”5. Personal data authorized for dissemination are the data that, with the subject’s consent, may be disseminated and made available to an unlimited number of persons6. This categorization of personal data is an initial prerequisite for data processing. For example, biometric data can be processed only after obtaining the explicit consent of the data subject. Processing of the special category of personal data is, as a general rule, prohibited. Different categories of data have different requirements to ensure the level of protection, both technical and legal (Krivogin, 2017). Hence, qualifying data as personal data poses the task of not only distinguishing personal data from other types of data, but also determining the belonging of personal data to a certain category.</p></sec><sec><title>1.2. Qualification of voice as personal data in various jurisdictions</title><p>In the context of creating a linguistic corpus, the use of speech data  – human voice samples  – illustrates the complexity of the task described above. Natural language processing technology relies heavily on the processing of said data. For example, they are used in voice assistants, text transcription systems, real-time translation of conversations, etc. The possibility of categorizing voice as personal data and choosing the appropriate category may cause a number of difficulties in practice.</p><p>The proposed broad approach to the definition of personal data allows assuming that voice contains enough personal identifiers to be classified as personal data. This approach can also be found in the practice of the European Court of Human Rights (ECHR)7, whose jurisdiction until recently extended to Russia. At the same time, the current Russian legislation, as well as the existing judicial practice, does not provide an unambiguous answer as to whether voice shall always be categorized as personal data. In practice, one may find cases when a recorded voice is not qualified as personal data (Arkhipov &amp; Naumov, 2016). Indeed, it can be assumed that the voice will not always qualify as personal data, for example, due to distortion, brevity of the sample, or lack of associated identifiers.</p><p>At the same time, it seems that the probability of qualifying the voice as personal data is quite high, which raises the question of its categorization. Of particular interest is the division between the general category and the categories providing for a higher level of protection. From the viewpoint of the latter, voice can be considered as biometric or health data. For example, voice can be used as a biomarker to detect an early stage of Parkinson’s disease (Tracy et al., 2020) or to provide information about an individual’s mental state, stress level, emotional state, sleep deprivation, and other health-related data (Chang et al., 2011). Voice as a unique characteristic of an individual (biometric data) is often used to establish a person’s identity (voice biometrics) (Jain et al., 2004). Voice may also contain personal data that fall under a general category. For example, such data may appear in speech content or sample-related metadata (age, gender, etc.).</p><p>The relevant clarifications of Roskomnadzor8, now repealed9, recommended that biometric data could be distinguished from other categories of data based on the purpose of processing. If the purpose of processing is related to personal identification, such data are to be qualified and processed as biometric data, otherwise they are not. This approach seems logical; otherwise, for example, the broadcasting of any TV or radio program would mean biometric data processing and would require compliance with the relevant legal regime. It is reasonable to assume that the same approach could be applied to health data. Obviously, in most cases, health data are not required to create a linguistic corpus and operate the natural language processing technology; therefore, as long as such data are not extracted, voice processing would not require a special legal regime.</p><p>However, it should be noted that, regardless of the purpose for which the voice is processed, it still contains biometric and health data; therefore, there is always a risk that this data could be extracted from the voice. This raises a general and more conceptual question: is the presence of such a risk sufficient to place personal data in categories with a higher level of protection, such as the “special” or “biometric” category? As far as the author is aware, there is no judicial practice on this issue in Russia. If we turn to other jurisdictions, we can find a similar case in the practice of the Court of Justice of the European Union10. In the case in question, the court used a broad approach to the interpretation of the “special” data category and included data that do not directly belong to it, but could potentially be extracted. In our opinion, this approach is at least debatable. Firstly, it is not quite clear how to determine that the data used contain hidden data, which in case of extraction may change its qualification. Their presence is not always obvious. Secondly, categorizing data as “special” means that they cannot be processed, except in specific cases listed in Art. 10 of the Law on personal data or Art. 9 of the General Data Protection Regulation11. In such a situation, it is difficult to ensure that data processing complies with legal requirements; this, in turn, may make it impossible to use the data to the extent necessary and, consequently, to achieve the purposes for which the data were processed.</p><p>In addition, it is important that the risk level of potentially extracting additional information that could change the data qualification varies depending on the particular case of processing. For example, speech data in a linguistic corpus are not publicly available, and the range of persons who can access and use it to extract additional information is limited. Moreover, this requires specialized knowledge and technical means. In other words, the ordinary processing of data within a linguistic corpus has a low risk of extracting “special” or “biometric” data from the voice. Hence, it seems that, on the one hand, the broad definition of data categories increases the level of protection of the data subject rights; on the other hand, it largely limits the possibilities to use them for technological development. In this situation, in order to balance the interests of the data subject and those who process data, it is important not only to identify the risk of potential information extraction but also to technically and legally assess that risk.</p></sec><sec><title>2. Limits of ensuring the lawfulness of personal data processing as part of natural language processing technology</title><p>The use of personal data to create a linguistic corpus and develop natural language processing technology necessitates their processing in strict compliance with the law. The Russian legislation broadly interprets the concept of personal data processing12, so there is little doubt that actions performed with data while using them as part of natural language processing technology will qualify as personal data processing (Ilin &amp; Kelli, 2020). In turn, this poses the question of the limit to which data processing must comply with legal requirements. For example, if a language model was created using personal data, does this mean that further use of products created using this model is also subject to the personal data protection law?</p><p>The limits in ensuring the lawfulness of personal data processing as part of natural language processing technology can be defined through the material, temporal and territorial effects of the legal regulation in this field (Ilin, 2020).</p><p>In the context of natural language processing technology, the material effect can be defined through the various levels of personal data use in developing the relevant digital products. These levels include gathering material to create a dataset, compiling the dataset, annotating, creating a language model, and developing the final digital product (Kelli et al., 2021). For example, a language model consists of linguistic rules and it is currently almost impossible to extract any personal data from it, as the identifiability of data subjects is lost in the process of language model creation. Therefore, the treatment of the data used to create the model will generally not correspond to the legal treatment of the language model built on that data (Kelli et al., 2021).</p><p>The time limits for ensuring the lawfulness of data processing can be defined through the period during which the data subject’s right to their data protection is in force. However, the Russian legislation does not set a time limit for the validity of such a right, indicating the need to comply with personal data regulation, including in relation to the data of deceased persons13, and without any indication of time limits. One may agree with the opinion of some researchers that this gap should be bridged, for which it would be advisable to set the term of personal data protection equal to that of a person’s privacy protection (Vazhorova, 2012).</p><p>The limits of ensuring the lawfulness of data processing in terms of territorial validity will be determined taking into account the national jurisdictions in which the relevant digital products are created or distributed. The problem is that digital products built using natural language processing technology usually do not focus on one country, but seek to cover markets in different countries. For example, Alice the voice assistant by Yandex supports the Turkish language; the speech-to-text system by Google supports over 120 languages and can be integrated with other digital products. Therefore, the question arises about the need to comply not only with national legislation on personal data protection, but also with the relevant regulation of other countries  – for example, Turkish law  – to collect data and form a linguistic corpus in Turkish.</p><p>Russian legislation in the field of personal data protection as a general rule has no extraterritorial effect. Consequently, it does not apply to non-residents processing personal data of Russian citizens abroad. This rule has two exceptions. The first relates to the requirement of data localization, and the second relates to cases of state security.</p><p>The rule of localization of processing of the personal data of Russian citizens obliges data processors to store, collect and use personal data of Russian citizens only in databases located in the territory of the Russian Federation. This rule applies: if the information being processed contains personal data; if these data were collected (i.e., received from third parties) and processed; and if these data are related to Russian citizens (Savelyev, 2016). The latter condition raises the problem of determining citizenship within the framework of the use of information technologies.</p><p>This problem was partially resolved after Roskomnadzor provided clarifications according to which citizenship should be understood as the territory where processing takes place; if there are doubts about the data subject’s citizenship, all information processed and collected in Russia should be localized in databases located in Russia. At the same time, the issue of identification and processing of personal data of Russian citizens that are collected outside the Russian jurisdiction is still open (Ilin, 2020).</p><p>An example of cases where state security measures have an extraterritorial effect on personal data protection legislation is the requirement for organizers of information dissemination and providers of telecommunication services to store Internet traffic (voice and text messages, photos, videos, sounds, file metadata), as well as to provide encryption keys to decrypt Internet traffic if the required data are stored or processed in encrypted form14. It is important that this requirement is not limited to any territory. It should be noted, however, that compliance with these rules may be difficult for companies, as they will be forced to violate their national data protection regulation. For example, some provisions of the General Regulation on personal data protection15, which regulates legal relations in the field of personal data protection in the EU, contradict the above requirement (Ilin, 2020).</p></sec><sec><title>3. Using personal data to pay for digital products based on natural language processing technology and legal qualification issues</title><p>In today’s digital economy, products using natural language processing technology are widely marketed under a business model that does not involve a monetary reward from the product user. Instead, the vendor benefits from the use of data that have either been intentionally provided by the user or automatically collected or created by the vendor. The application of this business model and the payment for goods and services with data has opened a debate about the extent to which data per se can be a means of payment. First and foremost, doubts arise regarding the economic and legal characteristics of data. While one of the main concerns about the economic characteristics of data is the problem of measuring their economic potential and value, which cannot be determined either by the market or by contract (Lohsse et al., 2020), the legal discussion arises around the definition of the personal data legal regime, the relationship governing the legal rules, and the content of legal relations in this area (Helberger et al., 2017; Metzger, 2017; Svantesson, 2018).</p><p>The use of natural language processing products involves an intensive data exchange between the user and the provider (Goldberg, 2017). The data can be intentionally transmitted by the user to the provider (e.g., by voice command), collected by the provider (e.g., recording a voice sample, location data), or created by the service (e.g., the result of a text translation). In most cases, the provider uses the collected data not only to provide the user with a digital product, but also to further develop and improve it, as well as for commercial purposes not directly related to the marketed product. For example, a supplier can use the user’s voice to analyze the emotional reaction to the advertising content and use the analysis result to sell other goods and services (Sartor, 2020). The possibility of such use of data raises the question of its qualification, the applicable legal regime, and the possibility of defining data as an object of property right (Talapina, 2020). In addition, the use of personal data as a consideration raises the question of the legal concept of personal data as one of the fundamental human rights  – the right to respect for private and family life. It seems that the current legislation in the field of personal data protection does not in itself prohibit such use of data, but imposes a number of limitations, in a general sense related to the need to ensure the legality of such processing (Saveliev, 2021).</p><p>At the same time, the use of data as a consideration raises another issue concerning the recoverability of civil law contracts used for the practical application of the business model in question and, consequently, the possibility of extending the law on consumer protection to such relations. On the one hand, para. 1 Art. 423 of the Civil Code of the Russian Federation16 explicitly stipulates, as one of the characteristics of recoverability, the execution of “another consideration” for fulfillment of contractual obligations, while providing the user with additional guarantees and legal mechanisms for the consumer rights protection balances the user’s relations with the supplier, in relation to whom the user has a weaker position.</p><p>On the other hand, the use of data as a new means of payment may cause problems in law enforcement practice. For example, in order to apply consumer protection measures that directly depend on the product or service value, it is necessary to determine the monetary equivalent of the transferred data, which, given the economic and legal nature of data, seems difficult to implement.</p></sec><sec><title>Conclusions</title><p>The article objective was to conceptualize, from the viewpoint of personal data protection legislation, the development of natural language processing technology. The analysis of the existing legal framework has shown that it does not fully correspond to the technical features of the technology development, which may lead either to over-regulation or, on the contrary, to the neglect of critical areas requiring protection. In particular, problems arise in qualifying the data, involved in the technology development, as personal data and in their subsequent categorization. This problem is well illustrated by the example of the use of speech data  – samples of a person’s voice. An attempt to define the limits of ensuring the legality of data processing also causes difficulties and requires further clarification both in terms of substantive, temporal and territorial validity of legal regulation in this area. Another issue that needs further research is the possibility of using personal data as a consideration. This problem appears relevant not only for the development of natural language processing technology, but also for the development of the information and communication technology industry in general.</p><p>Further research may be aimed at analyzing and developing solutions that will contribute, on the one hand, to overcoming the revealed legal obstacles to the technology development, and, on the other hand, to improving the legal protection of critical areas that require additional protection.</p><p>1. On Personal Data. No. 152-FZ of 27.07.2006 (ed. of 06.02.2023). SPS KonsultantPlyus. https://clck.ru/gLnFq
2. Ibid.
3. On information, information technologies and information protection. No. 149-FZ of 27.07.2006. SPS KonsultantPlyus. https://clck.ru/3967pC
4. On Personal Data. No. 152-FZ of 27.07.2006 (ed. of 06.02.2023). Art. 11. SPS KonsultantPlyus. https://clck.ru/gLnFq
5. Idid. Art. 10.
6. Idid. Art. 10.1.
7. Case of S. and Marper v. the United Kingdom (App. No 30562/04, 30566/04). 04.12.2008. ECtHR. §84. https://clck.ru/3968V5
8. Roskomnadzor. (2013, 2 September). Clarifications on referring photo- and video-images, dactyloscopic data and other information to biometric personal data and features of their processing. https://clck.ru/3968ky
9. Letter of Roskomnadzor of 19.11.2021 No. 09–78548 “On irrelevance of clarifications by Roskomnadzor”. SPS KonsultantPlyus. https://clck.ru/3968n6
10. Case C-184/20 OT v Vyriausioji tarnybinės etikos komisija. EU:C:2022:601. https://clck.ru/3969Ee
11. Article 10 of Federal Law “On Personal Data”, Art. 9 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016, April 27). https://clck.ru/3969GL
12. On Personal Data. No. 152-FZ of 27.07.2006 (ed. of 06.02.2023). Para. 3 Art. 3. SPS KonsultantPlyus. https://clck.ru/gLnFq
13. Ibid. Para. 7 Art. 9.
14. On amendments to the Federal Law “On Combating Terrorism” and certain legislative acts of the Russian Federation with regard to the introduction of additional measures to combat terrorism and ensure public security. No. 374-FZ of 06.07.2016. (2016). SPS KonsultantPlyus. https://clck.ru/3969WT; On amendments to the Criminal Code of the Russian Federation and the Criminal-Procedural Code of the Russian Federation with regard to the establishment of additional measures to counter terrorism and ensure public security. No. 375-FZ of 06.07.2016. (2016). SPS KonsultantPlyus. https://clck.ru/3969aF
15. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016 April 27). https://clck.ru/3969dk
16. Civil Code of the Russian Federation (part 1) of 30.11.1994 No. 51-FZ, ed. of 24.07.2023. SPS KonsultantPlyus. https://clck.ru/3969nv
</p></sec></body><back><ref-list><title>References</title><ref id="cit1"><label>1</label><citation-alternatives><mixed-citation xml:lang="ru">Важорова, М. А. (2012). Соотношение понятий «Информация о частной жизни» и «Персональные данные». Вестник Саратовской государственной юридической академии, 4(87), 55–59.</mixed-citation><mixed-citation xml:lang="en">Arkhipov, V., &amp; Naumov, V. (2016). The legal definition of personal data in the regulatory environment of the Russian Federation: Between formal certainty and technological development. Computer Law &amp; Security Review, 32(6), 868–887. https://doi.org/10.1016/j.clsr.2016.07.009</mixed-citation></citation-alternatives></ref><ref id="cit2"><label>2</label><citation-alternatives><mixed-citation xml:lang="ru">Егорова, М. А., Минбалеев, А. В., Кожевина, О. В., Ален, Д. (2021). Основные направления правового регулирования использования искусственного интеллекта в условиях пандемии. Вестник Санкт-Петербургского университета. Право, 12(2), 250–262. https://doi.org/10.21638/spbu14.2021.201</mixed-citation><mixed-citation xml:lang="en">Chang, K. H., Fisher, D., &amp; Canny, J. (2011). Ammon: A speech analysis library for analyzing affect, stress, and mental health on mobile phones. Proceedings of PhoneSense, 2011.</mixed-citation></citation-alternatives></ref><ref id="cit3"><label>3</label><citation-alternatives><mixed-citation xml:lang="ru">Конев, С. И. (2020). Административная ответственность за нарушения законодательства Российской Федерации в области персональных данных: новые вызовы. Вопросы российского и международного права, 10(10-1), 274–282. https://elibrary.ru/fasdwm</mixed-citation><mixed-citation xml:lang="en">Egorova, M. A., Minbaleev, A. V., Kozhevina, O. V., &amp; Dufolt, A. (2021). Main directions of legal regulation of the use of artificial intelligence in the context of a pandemic. Vestnik of Saint Petersburg University. Law, 12(2), 250–262. (In Russ.). https://doi.org/10.21638/spbu14.2021.201</mixed-citation></citation-alternatives></ref><ref id="cit4"><label>4</label><citation-alternatives><mixed-citation xml:lang="ru">Кривогин, М. С. (2017). Особенности правового регулирования биометрических персональных данных. Право. Журнал высшей школы экономики, 2, 80–89. EDN: https://elibrary.ru/zfcizt. DOI: https://doi.org/10.17323/2072-8166.2017.2.80.89</mixed-citation><mixed-citation xml:lang="en">Goldberg, Y. (2017). Neural network methods for natural language processing. Springer Nature. https://doi. org/10.1007/978-3-031-02165-7</mixed-citation></citation-alternatives></ref><ref id="cit5"><label>5</label><citation-alternatives><mixed-citation xml:lang="ru">Савельев, А. И. (2021). Гражданско-правовые аспекты регулирования оборота персональных данных. Вестник гражданского права, 21(4), 104–129. EDN: https://elibrary.ru/vgyyau. DOI: https://doi.org/10.24031/1992-2043-2021-21-4-104-129</mixed-citation><mixed-citation xml:lang="en">Helberger, N., Borgesius, F. Z., &amp; Reyna, A. (2017). The perfect match? A closer look at the relationship between EU consumer law and data protection law. Common Market Law Review, 54(5), 1427–1465. https://doi.org/10.54648/cola2017118</mixed-citation></citation-alternatives></ref><ref id="cit6"><label>6</label><citation-alternatives><mixed-citation xml:lang="ru">Свиридова, Е. А. (2021). Открытые и персональные данные в системах искусственного интеллекта: правовые аспекты. Проблемы экономики и юридической практики, 17(6), 61–68. https://elibrary.ru/xokzik</mixed-citation><mixed-citation xml:lang="en">Hirschberg, J., &amp; Manning, C. D. (2015). Advances in natural language processing. Science, 349(6245), 261–266. https://doi.org/10.1126/science.aaa8685</mixed-citation></citation-alternatives></ref><ref id="cit7"><label>7</label><citation-alternatives><mixed-citation xml:lang="ru">Талапина, Э. В. (2020). Закон об информации в эпоху больших данных. Вестник Санкт-Петербургского университета. Право, 11(1), 4–18. EDN: https://elibrary.ru/grjtqp. DOI: https://doi.org/10.21638/spbu14.2020.101</mixed-citation><mixed-citation xml:lang="en">Hobsbawn, E. (1996). Language, culture, and national identity. Social Research, 63(4), 1065–1080.</mixed-citation></citation-alternatives></ref><ref id="cit8"><label>8</label><citation-alternatives><mixed-citation xml:lang="ru">Arkhipov, V., &amp; Naumov, V. (2016). The legal definition of personal data in the regulatory environment of the Russian Federation: Between formal certainty and technological development. Computer Law &amp; Security Review, 32(6), 868–887. https://doi.org/10.1016/j.clsr.2016.07.009</mixed-citation><mixed-citation xml:lang="en">Ilin, I. (2019). Legal Regime of the Language Resources in the Context of the European Language Technology Development. In Z. Vetulani, P. Paroubek, &amp; M. Kubis (Eds.), Human Language Technology. Challenges for Computer Science and Linguistics. LTC 2019. Lecture Notes in Computer Science (vol 13212, pp. 367–376). Springer, Cham. https://doi.org/10.1007/978-3-031-05328-3_24</mixed-citation></citation-alternatives></ref><ref id="cit9"><label>9</label><citation-alternatives><mixed-citation xml:lang="ru">Chang, K. H., Fisher, D., &amp; Canny, J. (2011). Ammon: A speech analysis library for analyzing affect, stress, and mental health on mobile phones. Proceedings of PhoneSense, 2011.</mixed-citation><mixed-citation xml:lang="en">Ilin, I. (2020). The Voice and Speech Processing within Language Technology Applications: Perspective of the Russian Data Protection Law. Legal Issues in the digital Age, 1(1), 99–123. https://doi.org/10.17323/27132749.2020.1.99.123</mixed-citation></citation-alternatives></ref><ref id="cit10"><label>10</label><citation-alternatives><mixed-citation xml:lang="ru">Goldberg, Y. (2017). Neural network methods for natural language processing. Springer Nature. https://doi.org/10.1007/978-3-031-02165-7</mixed-citation><mixed-citation xml:lang="en">Ilin, I., &amp; Kelli, A. (2020). The use of human voice and speech for development of language technologies: the EU and Russian data-protection law perspectives. Juridica Int’l, 29, 71–85. https://doi.org/10.12697/ji.2020.29.07</mixed-citation></citation-alternatives></ref><ref id="cit11"><label>11</label><citation-alternatives><mixed-citation xml:lang="ru">Helberger, N., Borgesius, F. Z., &amp; Reyna, A. (2017). The perfect match? A closer look at the relationship between EU consumer law and data protection law. Common Market Law Review, 54(5), 1427–1465. https://doi.org/10.54648/cola2017118</mixed-citation><mixed-citation xml:lang="en">Jain, A. K., Ross, A., &amp; Prabhakar, S. (2004). An introduction to biometric recognition. IEEE Transactions on circuits and systems for video technology, 14(1), 4–20. https://doi.org/10.1109/tcsvt.2003.818349</mixed-citation></citation-alternatives></ref><ref id="cit12"><label>12</label><citation-alternatives><mixed-citation xml:lang="ru">Hirschberg, J., &amp; Manning, C. D. (2015). Advances in natural language processing. Science, 349(6245), 261–266. https://doi.org/10.1126/science.aaa8685</mixed-citation><mixed-citation xml:lang="en">Jents, L., &amp; Kelli, A. (2014). Legal aspects of processing personal data in development and use of digital language resources: the Estonian perspective. Jurisprudence, 21(1), 164–184. https://doi.org/10.13165/jur-14-21-1-08</mixed-citation></citation-alternatives></ref><ref id="cit13"><label>13</label><citation-alternatives><mixed-citation xml:lang="ru">Hobsbawn, E. (1996). Language, culture, and national identity. Social Research, 63(4), 1065–1080.</mixed-citation><mixed-citation xml:lang="en">Kelli, A., Lindén, K., Kamocki, P., Vider, K., Labropoulou, P., Birštonas, R., Mantrov., V., Hannesschläger, V., Del Gratta, R., Värv, A., Tavits, G., &amp; Vutt, A. (2021). The interplay of legal regimes of personal data, intellectual property and freedom of expression in language research. In M. Monachini &amp; M. Eskevich (Eds.), Proceedings CLARIN Annual Conference 2021 (pp. 154–159). https://doi.org/10.3384/ecp1898</mixed-citation></citation-alternatives></ref><ref id="cit14"><label>14</label><citation-alternatives><mixed-citation xml:lang="ru">Ilin, I. (2019). Legal Regime of the Language Resources in the Context of the European Language Technology Development. In Z. Vetulani, P. Paroubek, &amp; M. Kubis (Eds.), Human Language Technology. Challenges for Computer Science and Linguistics. LTC 2019. Lecture Notes in Computer Science (vol. 13212, pp. 367–376). Springer, Cham. https://doi.org/10.1007/978-3-031-05328-3_24</mixed-citation><mixed-citation xml:lang="en">Kelli, A., Tavast, A., &amp; Pisuke, H. (2012). Copyright and constitutional aspects of digital language resources: The Estonian approach. Juridica International, 19, 40.</mixed-citation></citation-alternatives></ref><ref id="cit15"><label>15</label><citation-alternatives><mixed-citation xml:lang="ru">Ilin, I. (2020). The Voice and Speech Processing within Language Technology Applications: Perspective of the Russian Data Protection Law. Legal Issues in the digital Age, 1(1), 99–123. https://doi.org/10.17323/27132749.2020.1.99.123</mixed-citation><mixed-citation xml:lang="en">Kolain, M., Grafenauer, C., &amp; Ebers, M. (2022). Anonymity Assessment – A Universal Tool for Measuring Anonymity of Data Sets under the GDPR with a Special Focus on Smart Robotics. Rutgers University Computer &amp; Technology Law Journal, 48(2). https://ssrn.com/abstract=3971139</mixed-citation></citation-alternatives></ref><ref id="cit16"><label>16</label><citation-alternatives><mixed-citation xml:lang="ru">Ilin, I., &amp; Kelli, A. (2020). The use of human voice and speech for development of language technologies: the EU and Russian data-protection law perspectives. Juridica Int’l, 29, 71–85. https://doi.org/10.12697/ji.2020.29.07</mixed-citation><mixed-citation xml:lang="en">Konev, S. I. (2020). Administrative responsibility for violations of the legislation of the Russian Federation in the field of personal data: new challenges. Voprosy rossiiskogo i mezhdunarodnogo prava, 10(10-1), 274–282. (In Russ.).</mixed-citation></citation-alternatives></ref><ref id="cit17"><label>17</label><citation-alternatives><mixed-citation xml:lang="ru">Jain, A. K., Ross, A., &amp; Prabhakar, S. (2004). An introduction to biometric recognition. IEEE Transactions on circuits and systems for video technology, 14(1), 4–20. https://doi.org/10.1109/tcsvt.2003.818349</mixed-citation><mixed-citation xml:lang="en">Krivogin, M. (2017). Peculiarities of legal regulating biometric personal data. Law. Journal of the Higher School of Economics, 2, 80–89. (In Russ.). https://doi.org/10.17323/2072-8166.2017.2.80.89</mixed-citation></citation-alternatives></ref><ref id="cit18"><label>18</label><citation-alternatives><mixed-citation xml:lang="ru">Jents, L., &amp; Kelli, A. (2014). Legal aspects of processing personal data in development and use of digital language resources: the Estonian perspective. Jurisprudence, 21(1), 164–184. https://doi.org/10.13165/jur-14-21-1-08</mixed-citation><mixed-citation xml:lang="en">Lohsse, S., Schulze, R., &amp; Staudenmayer, D. (Eds.) (2020). Data as counter-performance-Contract Law 2.0? Baden-Baden: Nomos Verlagsgesellschaft mbH &amp; Company KG. https://doi.org/10.5771/9783748908531</mixed-citation></citation-alternatives></ref><ref id="cit19"><label>19</label><citation-alternatives><mixed-citation xml:lang="ru">Kelli, A., Lindén, K., Kamocki, P., Vider, K., Labropoulou, P., Birštonas, R., Mantrov., V., Hannesschläger, V., Del Gratta, R., Värv, A., Tavits, G., &amp; Vutt, A. (2021). The interplay of legal regimes of personal data, intellectual property and freedom of expression in language research. In M. Monachini &amp; M. Eskevich (Eds.), Proceedings CLARIN Annual Conference 2021 (pp. 154–159). https://doi.org/10.3384/ecp1898</mixed-citation><mixed-citation xml:lang="en">Metzger, A. (2017). Data as counter-performance: what rights and duties do parties have. Journal of Intellectual Property, Information Technology and Electronic Commerce Law, 8(1), 2.</mixed-citation></citation-alternatives></ref><ref id="cit20"><label>20</label><citation-alternatives><mixed-citation xml:lang="ru">Kelli, A., Tavast, A., &amp; Pisuke, H. (2012). Copyright and constitutional aspects of digital language resources: The Estonian approach. Juridica International, 19, 40.</mixed-citation><mixed-citation xml:lang="en">Oostveen, M. (2016). Identifiability and the applicability of data protection to big data. International Data Privacy Law, 6(4), 299–309. https://doi.org/10.1093/idpl/ipw012</mixed-citation></citation-alternatives></ref><ref id="cit21"><label>21</label><citation-alternatives><mixed-citation xml:lang="ru">Kolain, M., Grafenauer, C., &amp; Ebers, M. (2022). Anonymity Assessment – A Universal Tool for Measuring Anonymity of Data Sets under the GDPR with a Special Focus on Smart Robotics. Rutgers University Computer &amp; Technology Law Journal, 48(2). https://ssrn.com/abstract=3971139</mixed-citation><mixed-citation xml:lang="en">Purtova, N. (2018). The law of everything. Broad concept of personal data and future of EU data protection law. Law, Innovation and Technology, 10(1), 40–81. https://doi.org/10.1080/17579961.2018.1452176</mixed-citation></citation-alternatives></ref><ref id="cit22"><label>22</label><citation-alternatives><mixed-citation xml:lang="ru">Lohsse, S., Schulze, R., &amp; Staudenmayer, D. (Eds.). (2020). Data as counter-performance-Contract Law 2.0? Baden-Baden: Nomos Verlagsgesellschaft mbH &amp; Company KG. https://doi.org/10.5771/9783748908531</mixed-citation><mixed-citation xml:lang="en">Sartor, G. (2020). New aspects and challenges in consumer protection. Digital services and artificial intelligence. European Parliament.</mixed-citation></citation-alternatives></ref><ref id="cit23"><label>23</label><citation-alternatives><mixed-citation xml:lang="ru">Metzger, A. (2017). Data as counter-performance: what rights and duties do parties have. Journal of Intellectual Property, Information Technology and Electronic Commerce Law, 8(1), 2.</mixed-citation><mixed-citation xml:lang="en">Savelyev, A. (2016). Russia’s new personal data localization regulations: A step forward or a self-imposed sanction? Computer Law &amp; Security Review, 32(1), 128–145. https://doi.org/10.1016/j.clsr.2015.12.003</mixed-citation></citation-alternatives></ref><ref id="cit24"><label>24</label><citation-alternatives><mixed-citation xml:lang="ru">Oostveen, M. (2016). Identifiability and the applicability of data protection to big data. International Data Privacy Law, 6(4), 299–309. https://doi.org/10.1093/idpl/ipw012</mixed-citation><mixed-citation xml:lang="en">Savelyev, A. I. (2021). Civil law aspects of commercialization of personal data. Civil Law Review, 21(4), 104–129. (In Russ.). https://doi.org/10.24031/1992-2043-2021-21-4-104-129</mixed-citation></citation-alternatives></ref><ref id="cit25"><label>25</label><citation-alternatives><mixed-citation xml:lang="ru">Purtova, N. (2018). The law of everything. Broad concept of personal data and future of EU data protection law. Law, Innovation and Technology, 10(1), 40–81. https://doi.org/10.1080/17579961.2018.1452176</mixed-citation><mixed-citation xml:lang="en">Svantesson, D. J. B. (2018). Enter the quagmire – the complicated relationship between data protection law and consumer protection law. Computer Law &amp; Security Review, 34(1), 25–36. https://doi.org/10.1016/j.clsr.2017.08.003</mixed-citation></citation-alternatives></ref><ref id="cit26"><label>26</label><citation-alternatives><mixed-citation xml:lang="ru">Sartor, G. (2020). New aspects and challenges in consumer protection. Digital services and artificial intelligence. European Parliament.</mixed-citation><mixed-citation xml:lang="en">Sviridova, E. A. (2021). Open and personal data in artificial intelligence systems: legal aspects. Economic Problems and Legal Practice, 17(6), 61–68. (In Russ.).</mixed-citation></citation-alternatives></ref><ref id="cit27"><label>27</label><citation-alternatives><mixed-citation xml:lang="ru">Savelyev, A. (2016). Russia’s new personal data localization regulations: A step forward or a self-imposed sanction? Computer Law &amp; Security Review, 32(1), 128–145. https://doi.org/10.1016/j.clsr.2015.12.003</mixed-citation><mixed-citation xml:lang="en">Talapina, E. V. (2020). The Law on information during an era of Big Data. Vestnik of Saint Petersburg University. Law, 11(1), 4–18. (In Russ.). https://doi.org/10.21638/spbu14.2020.101</mixed-citation></citation-alternatives></ref><ref id="cit28"><label>28</label><citation-alternatives><mixed-citation xml:lang="ru">Svantesson, D. J. B. (2018). Enter the quagmire – the complicated relationship between data protection law and consumer protection law. Computer Law &amp; Security Review, 34(1), 25–36. https://doi.org/10.1016/j.clsr.2017.08.003</mixed-citation><mixed-citation xml:lang="en">Tracy, J. M., Özkanca, Y., Atkins, D. C., &amp; Ghomi, R. H. (2020). Investigating voice as a biomarker: deep phenotyping methods for early detection of Parkinson’s disease. Journal of Biomedical Informatics, 104, 103362. https://doi.org/10.1016/j.jbi.2019.103362</mixed-citation></citation-alternatives></ref><ref id="cit29"><label>29</label><citation-alternatives><mixed-citation xml:lang="ru">Tracy, J. M., Özkanca, Y., Atkins, D. C., &amp; Ghomi, R. H. (2020). Investigating voice as a biomarker: deep phenotyping methods for early detection of Parkinson’s disease. Journal of Biomedical Informatics, 104, 103362. https://doi.org/10.1016/j.jbi.2019.103362</mixed-citation><mixed-citation xml:lang="en">Truyens, M., &amp; Van Eecke, P. (2014). Legal aspects of text mining. Computer Law &amp; Security Review, 30(2), 153–170. https://doi.org/10.1016/j.clsr.2014.01.009</mixed-citation></citation-alternatives></ref><ref id="cit30"><label>30</label><citation-alternatives><mixed-citation xml:lang="ru">Truyens, M., &amp; Van Eecke, P. (2014). Legal aspects of text mining. Computer Law &amp; Security Review, 30(2), 153–170. https://doi.org/10.1016/j.clsr.2014.01.009</mixed-citation><mixed-citation xml:lang="en">Vazhorova, M. A. (2012). The ratio of concepts “the information on private life” and “personal data”. Saratov State Law Academy Bulletin, 4(87), 55–59. (In Russ.).</mixed-citation></citation-alternatives></ref></ref-list><fn-group><fn fn-type="conflict"><p>The authors declare that there are no conflicts of interest present.</p></fn></fn-group></back></article>
