AI and European Privacy - Light at the End of the Tunnel

Context

Worries about AI Large Language Models (LLMs) violating the GDPR, the EU’s privacy law, have European technologists concerned that its privacy laws would hamper acceptance of AI there.

From Reuters Legal Analysis, November 17, 2023: “AI introduces two critical concerns: (1) the re-personalization of anonymous data and (2) the inference of additional personal information from existing data. Because AI tools synthesize enormous amounts of information, there is a risk that the algorithms will be able to re-identify the true owner from whom the anonymized personal data was collected.”

X-Twitter had nine GDPR complaints made against it today because that company was using European user data to train its AI product, called “Grok.” The complaints were filed by NOYB, the privacy law nonprofit because X-Twitter did not get European user permission before using it to train its AI.

Zoom In

Large Language Models (LLMs) are one type of Artificial Intelligence. A big obstacle to using AI LLMs in Europe is potential privacy violations from all the web data scraped into them. Especially in Europe, with their very strong GDPR privacy law. The big concern is that European privacy laws would prevent full use of AI.

The GDPR has exceptions to its strong privacy requirements, and one of them is Legitimate Interest (see Article 6 (1) (f) of the GDPR). The legal test is whether the legitimate interest being pursued balance or outweigh the rights of the data subject. Using personal data to train AI without getting permission from the users first is a legal question that needs answering.

A potential solution was published recently. A Commissioner on Data Protection and Freedom of Information in Hamburg, Germany just laid out the logical framework for LLMs to operate under the GDPR - legally. It is only a paper, not a binding decision, but it provides the logical framework for how to see AI LLMs as GDPR-compliant.

The Gist of the Solution

It takes BOTH the AI prompt and the AI tokens to create a privacy violation. One example would be asking an AI for the birthday of a public figure. Because the same date is at a number of places in the data that trained the AI, there is a high likelihood that specific date will be returned as an answer. But, according to the privacy logic in this paper, it is the combination of a PROMPT and the DATA in the AI that creates the privacy violation. If that’s the case, no AI on its own is a privacy violation, no matter how much personal data it has consumed.

Why This Is Big

LLMs take in a lot of words from a lot of places on the web. Then, it creates connections between those words and gives a weight to the association between one word and another based on how likely they are to be connected in the data that trained it.

But then we have personal privacy

The problem is how can the EU move forward with AI LLMs and not violate its strong privacy laws. The Hamburg DPA just let the world know.

The Bottom Line

Europe isn’t going to be left out of the AI revolution because of some personal privacy laws. Yes, nine complaints were just filed against X-Twitter for privacy violations and those cases will need to be closely monitored, but the intellectual framework for finding AI not to be in violation of the GDPR has been created. Watch this space.