The EDPB recently released an opinion (basically a "guide" on what/how/when on all things GDPR) aimed at providing some insight into the processing of personal data related to AI models.
The guidance provided in the opinion has been long awaited as many felt they’ve been building in the dark till now. Especially around the usage of legitimate interest as a legal basis for processing but also regarding claims that an AI model is anonymous, both during “development” and/or “deployment” phases. The goal of this opinion is to help data protection authorities, companies, and (ideally also) the public understand when and how personal data can be used in AI models (or at least only in regards to these specific use cases for now).
- Chances are, your AI model isn’t anonymous - even if it was not intentionally designed to produce information relating to identified individual. (e.g. personal data is unintentionally retained in model parameters) is enough to count as processing personal data
- AI models trained on personal data as such - should not be considered anonymous. But what about those that have taken steps to remove the personal data? There are no clear rules in those cases and therefore the claims that they are anonymous must be assessed by the relevant Data Protection Authority on a case-by-case basis
- Relying on legitimate interest as a legal basis to train models still requires documented proof that such a legitimate interest exists. This includes assessments on the following elements: legitimate pursuit, necessity, and balancing tests
- The requirement to conduct a DPIAs when processing personal data that is likely to result in a high risk to the rights and freedoms of a data subject, is not exempt if the processing is done by an AI model
- Using an AI model that was trained in an unlawful way by someone else but you’re using it lawfully also doesn’t cut it. If you didn’t do your proper assessment on the model and the third party, then you can be held accountable as well.
- In case of infringement, Data Protection Authorities may impose corrective measures such as issuing fines, imposing a temporary limitation on processing, erasing part of the dataset that was processed unlawfully or, where this is not possible, ordering the erasure of the whole dataset used to develop the AI model and/or the AI model itself.
The EDPB's opinions serve an important purpose in providing clarity and harmonized interpretation and implementation of the GDPR. However, this recent opinion, while well-intentioned, highlights a paradoxical challenge: the complexity of AI governance under GDPR, combined with an already overwhelming landscape of new regulations, and the opinion's dense legal language and emphasis on case-by-case determinations, may have inadvertently added to the confusion rather than providing the clarity that organizations desperately need.
Although the opinion does not give clear answers to many questions, it still includes some general guiding principles one can (and should) follow. Such as:
- If you’re developing models, make sure you have established a legitimate interest for any personal data (if that’s the legal basis you’re relying on)
- Conduct proper checks on your model and development process before claiming that it is anonymous (it probably isn’t)
- Make sure you do a thorough check on any third party models you may be using and assure they’ve been trained lawfully. You want to make sure you followed the steps, fixed any issues found along the way, and have a way to prove it.
- Uncertainty will remain prevalent in many areas of the market while working on finding solutions around the interplay between the GDPR and other digital regulations
- Companies will need to pick up their game and set up robust documentation practices to demonstrate compliance (robust doesn’t mean long and complex - the opposite is mostly true)
- Further guidance will be needed by the regulators on data protection and on AI regarding for example specifics on technical standards for proving AI model anonymisation
- The interplay between this opinion and the AI Act implementation will need to be clarified with time and a strong collaboration between the EDPB and the newly established European Artificial Intelligence Board, will be extremely important
This newsletter is brought to you by hoggo.io's founders ??
