The European Union privacy body weighed in on emerging issues regarding the lawfulness of GenAI. The board explored loopholes that AI developers may exploit to process personal data without contravening current legislation.
The European Data Protection Board raised questions over the lawful basis for AI developers processing user personal data. In an opinion published on December 17, the board addressed various matters of general application in compliance with Article 64(2)of the GDPR.
European Union privacy board weighs in on issues in data protection and AI deployment
The European Data Protection Board (EDPB) issued the opinion upon the Irish supervisory authority’s request. The board noted it had a statutory mandate under the General Data Protection Regulations(GDPR) to issue an opinion on matters affecting more than one member state within the European Union.
The agency pointed out the requests presented by the Irish body related to processing personal data during the Artificial Intelligence(AI) development and deployment phases. It narrowed the opinion to four issues related to data protection within the European Union.
The issues included when and how an AI model can be considered anonymous and how controllers can illustrate the necessity of legitimate interest in deployment. The board also explored the consequences of unlawful data processing during the development phase of an AI model on the subsequent operation of the AI model.
Regarding the question of when and how an AI model’s anonymity can be determined, the body stated that a competent local authority should make such a determination on a case-by-case basis. The board expressed that it did not consider all AI models trained using personal data anonymously.
The body recommended that national supervisory authorities evaluate relevant documentation the controller provides to determine a model’s anonymity. It added that controllers should also take the relevant steps to limit personal data collection during training and mitigate potential attacks.
On the question of legitimate interest as an appropriate legal basis for processing personal data during the deployment of AI models, the board left it upon the controllers to determine the appropriate legal basis for processing such data.
The EDPB emphasized the three-step test for determining legitimate interest by supervisory bodies. The steps included identifying the actual legitimate interest and analyzing its necessity. Controllers must also assess whether the legitimate interest balances with the data subjects’ rights and freedoms.
In assessing the consequences, the body referred the discretion to the supervisory authorities in the respective states. It added the SAs should choose the appropriate consequences depending on the facts of each scenario.
Ireland Data Protection Commission comments on EDPB opinion on AI model regulation
The Ireland Data Protection Commission responded in a statement noting the opinion would promote effective and consistent AI model regulation in the EU. Commissioner Dale Sunderland commented:
It will also support the DPC’s engagement with companies developing new AI models before they launch on the EU market, as well as the handling of the many AI-related complaints that have been submitted to the DPC.
Dale Sunderland
Complaints over ChatGPTs maker OpenAI have reportedly been put on the frame over the past months. Polish Data Protection Authority raised questions last year about the AI developer’s compliance with the GDPR.
The authority alleged that OpenAI overlooked requirements such as prior consultation with regulators where there was a risk of personal data breach. The regulator noted that OpenAI launched ChatGPT without consulting local regulators in contravention of the GDPR guidelines.
Italy’s Garante also ordered OpenAI to cease processing personal data in 2023 before addressing issues it had identified with the company’s platform. It highlighted that the San Fransico-based company lacked measures to prevent minors from accessing the technology as required by law.
The regulatory authority warned that failure to comply with the guidelines would attract penalties, including a four percent annual turnover or twenty million euros, whichever was greater.
Land a High-Paying Web3 Job in 90 Days: The Ultimate Roadmap