EDPB Opinion 28/2024: the 3 main questions

The European Data Protection Board has published its “Opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models.”

In this article, the EDPB addresses 3 main questions:?

1?? When can an AI model trained with personal data be considered as anonymous?

It is necessary to perform a case-by-case basis analysis:

?? Considering the likelihood of personal data being directly extracted or obtained from the queries inputted.

?? Taking into account ‘all the means reasonably likely to be used’ by the controller or by another party (including unintended third parties).

The EDPB proposes a non-exhaustive list of methods that controllers can use to demonstrate that the model is anonymous.

?

2?? When can legitimate interest be used as legal basis during the development and in the deployment of the system?

It is necessary to perform a 3-step-test, which requires:

?? Identifying a legitimate interest of the controller or a third party that is being pursued. This legitimate interest must be lawful, clearly and precisely articulated and real, not hypothetical.

?? Determining that the processing is necessary to achieve the purpose, which cannot be attained by other less intrusive means.

?? Performing a balancing exercise between the rights and freedoms of the data subject and the interests of the controller or third party.? The EDPB points out that the impact for the individuals can be positive or negative and that the reasonable expectations of the individuals must be taken into consideration.

The EDPB offers a non-exhaustive list of mitigating measures, with specific examples for web-scrapping scenarios.

For more details about legitimate interest as legal basis, the recent EDPB guidelines on processing of personal data based on legitimate interest (for public consultation):? https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2024/s-12024-processing-personal-data-based_en

?

3?? What are the consequences of processing personal data unlawfully?

The guidelines present 3 possible scenarios where a controller unlawfully processes personal data to develop the model:

??Scenario 1: The personal data is retained in the model and is subsequently processed by the same controller (for instance in the context of the deployment of the model):

The consequences for the new controller will depend on:

?? Whether or not the purposes in the development and deployment phases are different,

?? How the unlawfulness of the initial processing affects the lawfulness of the subsequent processing.

?

??Scenario 2: the personal data is retained in the model and is processed by another controller in the context of the deployment of the model:

?? SAs will determine whether or not the new controller conducted an appropriate assessement to ascertain that personal data was not processed unlawfully during the development phase.

?? The EDPB points out that the EU declaration of conformity required for providers of high-risk AI systems may not be sufficient to demonstrate compliance.

?

??Scenario 3: A controller unlawfully processes personal data to develop the model, then ensures that the model is anonymised, before the same or another controller initiates another processing of personal data in the context of the deployment:

?? If the use of the model by the new controller does not entail processing of personal data, GDPR would not apply.

?? If personal data is processed by subsequent controllers during the deployment of the previously anonymized model, GDPR would apply to these new processing operations, which should not be affected by the unlawfulness of the processing during the development phase.

More questions? Our team of DPOs and Lawyers is ready to support you

?? [email protected]

?? www.mydata-trust.com