German Data Protection Authorities publish Guidelines on AI Deployment

Executive Summary

The German Data Protection Authorities (DPAs) have issued comprehensive guidelines aimed at ensuring the privacy-compliant deployment of Artificial Intelligence (AI) applications. These (German language) guidelines address the growing use of AI, particularly Large Language Models (LLMs), and their implications for data protection. This overview provides an executive summary and a detailed overview of the DPA guidelines, focusing on practical steps organizations can take to align their AI deployments with data protection principles, thereby achieving defensible compliance and safeguarding individuals' privacy rights.

Detailed Overview

This section gives an overview on the main requirements, which the DPAs expect enterprises deploying AI to comply with. The guidelines differentiate between several phases and areas, e.g. planning and selecting, implementing an using AI Applications.

Planning and Selection of AI Applications

Purpose and Legality

• Purpose Specification: Clearly define the AI application's intended use cases and objectives, ensuring they align with the data protection principles set out in Art. 5 GDPR.
• Legality of Use: Assess the legality of deploying AI applications, particularly under the EU AI Act, avoiding prohibited practices like social scoring and real-time biometric surveillance. Identify respective AI Act requirements and opportunities to comply with these by using and adapting existing structures, e.g. concerning GDPR processes

Data Considerations

• Non-Personal Data Preference: Whenever possible, choose applications that do not process personal data to minimize privacy risks.
• Data-Driven Training Compliance: Ensure AI applications are trained on datasets in a manner that respects privacy, questioning the source and legality of training data.

Legal and Decision-Making Framework

• Legal Bases for Data Processing: Identify and document a legal basis for each data processing activity associated with the AI application.
• Human Oversight: Implement mechanisms to ensure that automated decisions involve meaningful human intervention, avoiding reliance solely on AI-generated suggestions.

System Type and Transparency

• System Type Preference: The DPAs favor closed systems, which offer better control over data, over open systems that might expose data to third parties.
• Transparency Requirements: Disclose information about the AI application's logic, impact, and data processing practices to affected individuals.

Implementation of AI Applications

Organizational Measures

• Responsibility Assignment: Designate clear responsibility for the AI application's data processing activities within the organization.
• Internal Policies: Develop and enforce internal policies governing the use of AI applications, specifying allowed and prohibited uses.

Impact Assessment and Employee Protection

• Data Protection Impact Assessment (DPIA): Conduct DPIAs for AI applications likely to pose high risks to individuals' rights and freedoms. Consider options to combine GDPR DPIAs with Fundamental Rights Impact Assessment (FRIAs) for High-Risk AI Systems under Art 27 EU AI Act.
• Employee Data Protection: Use corporate accounts and devices for AI applications, avoiding the creation of personal profiles on employees.

Design and Security

• Privacy by Design and Default: Implement privacy-enhancing measures from the design phase of the AI application, ensuring data protection by default.
• Cyber & Data Security: Ensure robust security measures are in place to protect the AI application from unauthorized access and data breaches.

Using AI Applications

Data Handling

• Careful use of Personal Data: The DPAs urge to exercise caution when inputting or generating personal data through AI applications, ensuring transparency and legal compliance.
• Sensitive Data Handling: Apply additional safeguards when processing special categories of personal data, adhering to stricter legal requirements.

Accuracy and Fairness

• Accuracy Checks: DPAs strongly suggest to critically assess the accuracy of AI-generated results, especially when they involve personal data.
• Non-Discrimination: Monitor AI applications for potential discriminatory outcomes, ensuring compliance with non-discrimination laws.

Conclusion

Knowing and adhering to the German DPAs' guidelines on AI and privacy to a reasonable degree is essential for organizations deploying AI applications. By taking practical steps to ensure purpose specification, legality, data protection by design, transparency, and non-discrimination, organizations can navigate the complexities of AI deployment while respecting individuals' privacy rights. Regular updates and employee training are crucial to maintaining compliance in the dynamic landscape of AI and data protection and to come into a defensible degree of GDPR and AI Act compliance.