Legal Basis Requirements for AI

Legal Basis Requirements for AI

By Magali Feys[1], Herald Jongen[2], and Gary LaFever[3]


While the July 4th CJEU (Court of Justice of the European Union) ruling against Meta focuses on social media-based tracking and profiling,[4] it also contains an excellent summary of the CJEU’s current interpretation of the GDPR’s requirements for lawfulness of processing, which sheds light on AI's legal standing under the GDPR. Our conclusion is that when consent and contract are unlikely to be sufficient lawful grounds for AI processing, legitimate interests processing under GDPR Article 6(1)(f) is the most likely approach for organizations to conduct compliant processing, assuming that specific conditions are satisfied. This may shape the future of AI and data privacy in the EU and potentially worldwide.


No alt text provided for this image
A downloadable version of this graphic is available at www.LegitimateInterestAnalytics.com

Legal Bases Under GDPR

The court emphasizes that “where personal data are collected from the data subject, the controller must inform the data subject at the time of data collection of the purposes of the processing and the legal basis for the processing.[5] The following summarizes the court’s analysis of the three most likely available legal bases for AI processing under the GDPR - Article 6(1)(a) Consent, 6(1)(b) Contract, and 6(1)(f) Legitimate Interests.[6]

Consent

The processing of personal data is lawful under Article 6(1)(a) only if a data subject provides freely given, specific, and informed consent. It must be an unambiguous indication of the data subject's wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.[7] This poses a significant challenge for a number of AI applications as it is often impossible to define the processing specifics at the time of data collection due to AI technologies' inherent complexity and unpredictability. As a result, obtaining consent is unlikely to enable lawful AI processing in many situations.

Contract

The processing of personal data is lawful under Article 6(1)(b) if it is necessary for the performance of a contract to which the data subject is a party or is necessary to take steps at the data subject's request before entering into a contract. To satisfy this requirement, the data controller must demonstrate how the contract's main subject matter cannot be achieved if the processing does not occur. The fact that the processing is referred to in the contract or may be useful for the performance of the contract is irrelevant. Rather, the processing of personal data must be essential for the proper performance of the contract between the controller and the data subject, and there must not be any workable, less intrusive alternatives.[8] With the wide availability of alternatives, contracts are unlikely to enable lawful AI processing in many situations.

Legitimate Interest

The processing of personal data is lawful under Article 6(1)(f) if it is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”[9] To successfully use legitimate interest as a legal basis for data processing, the controller must be able to demonstrate that the processing of personal data satisfies three separate tests: the Legitimate Interests Test, (2) the Necessity Test, and (3) the Balancing of Interests Test.[10]

1. Legitimate Interests Test - First, the controller must inform the data subject at the time of data collection of the legitimate interest being pursued by the data controller or by a third party.[11] Whether the purpose of processing constitutes a legitimate interest is a fact and circumstances-specific test.[12]

2. Necessity Test - Second, it must be shown that the legitimate interests pursued cannot reasonably be achieved using alternative means less intrusive to the fundamental rights and freedoms of the data subject, particularly the rights to privacy and data protection under Articles 7 and 8 of the EU Charter of Fundamental Rights.[18]

In the context of the Necessity Test, the court specifically highlights the need for the processing to comply with Article 5(1)(c) data minimization requirements. This means the data processor must ensure the processing of the data is “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.’[14] In this regard, properly pseudonymized data is recognized as playing …a role with regard to the evaluation of the potential impact of the processing on the data subject...tipping the balance in favor of the controller” to help support Legitimate Interest processing.[15]

Pseudonymization is defined in Article 4(5) of the GDPR as "the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information." By maintaining the de-identified data separately from the additional information, pseudonymization allows data handlers to use personal data more liberally without infringing on the rights of data subjects.[16] Pseudonymization contributes to the principle of data minimization by replacing not only direct but also indirect identifiers with artificial identifiers or pseudonyms, making the data record less identifiable while still being suitable for data analysis and processing. Furthermore, pseudonymization, as defined for the first time under EU law in Article 4(5) of the GDPR, requires protection at the record and data set level versus only the field level, so the protection travels wherever the data goes, including when it is in use. This measure is intended to prevent the re-identification of data subjects without the use of the additional information kept separately.[17]

?In addition to helping to satisfy data minimization requirements under the Necessity Test, properly pseudonymized data can also help with respect to (a)?lawful processing of EU personal data in US-operated clouds; (b) increased availability of Schrems II derogations; (c) lawful data repurposing, sharing, and combining; (d) support for special category processing, (e) relaxation of certain re-identification obligations, (f) privacy-respectful profiling and digital marketing; support for data protection by design and by default obligations, (g) reduced security and data breach notification obligations, and (h) expanded lawful processing.[18]

3. Balancing of Interests Test - Third, it must be shown that the interests or fundamental rights and freedoms of the data subject do not take precedence over the legitimate interests of the controller or third party.[19] In this regard, the court specifically highlights the importance of the facts and circumstances of each situation and notes the importance of informing the data subject at the time of data collection regarding the scale of processing and its impact on the person. In this regard, the court specifically highlights the importance of the facts and circumstances of each situation and notes the importance of informing the data subject at the time of data collection regarding the scale of processing and its impact on the person.[20]

?

When consent and contract are unlikely to be sufficient lawful grounds for AI processing, legitimate interests processing under the above specific conditions is the most likely approach for organizations to conduct compliant processing.

?

In addition to being the most appropriate approach for lawful AI processing, additional benefits of using Legitimate Interests as a legal basis under the GDPR include:[21]

  • Under Article 17(1)(c), if a data controller can show they “have overriding legitimate grounds for processing” supported by technical and organizational measures to satisfy the balancing of interest test, they have greater flexibility in complying with the Right to be Forgotten requests.
  • Under Article 18(1)(d), a data controller has flexibility in complying with requests to restrict the processing of personal data if they can show they have technical and organizational measures in place so that the rights of the data controller properly override those of the data subject because the privacy of the data subject is protected.
  • Under Article 20(1), data controllers using Legitimate Interests processing are not subject to the right of portability, which applies only to consent-based processing.
  • Under Article 21(1), a data controller using Legitimate Interests processing may show they have adequate technical and organizational measures in place so that the rights of the data controller properly override those of the data subject because the rights of the data subjects are adequately protected. However, data subjects always have the right under Article 21(3) not to receive direct marketing outreach due to such processing.

?

Conclusion

Using pseudonymization that complies with new GDPR statutory requirements, following the introduction of the definition of pseudonymization, enables organizations to satisfy the legal requirements for AI processing of EU personal data. In addition, this GDPR-compliant pseudonymization allows organizations to benefit from greater flexibility in data processing and reduced risks associated with potential data breaches or non-compliance, ultimately fostering trust and driving responsible data use and innovation.

?

To learn more about GDPR-compliant pseudonymization, visit www.Pseudonymization.com or download a copy of the peer-reviewed law journal article "Technical Controls that Protect Data in Use and Prevent Misuse," with 2-page summaries in English, French, and German.

To stay updated on the requirements and benefits of statutory pseudonymization as defined under the GDPR and increasingly other statutes, join the?LinkedIn Statutory Pseudonymization group, with 9,400+ senior legal, privacy, data use, and innovation executives as members.




[1] Magali (Maggie) Feys is founder of AContrario.Law, a boutique law firm based in Belgium specializing in IP, IT, data protection and cybersecurity. In addition, Magali acts as a legal advisor of the Federal Belgian Ministry of Health, where she advises on privacy matters (such as e-health network, COVID contact tracing and digital EU-COVID-certificate and the Covid Safe Ticket) as well as of the different federated entities and governments. She is the president of the advisory board of Athumi, the Flemish data utility entity. Maggie also represents Anonos as chief strategist of ethical data use.

[2] Herald Jongen is Co-Managing Shareholder of Greenberg Traurig’s Amsterdam office. He focuses his practice on outsourcing, technology transactions and data protection. He has negotiated GDPR compliant agreements with Microsoft, Google and AWS for the Dutch Government.

[3] Gary LaFever is Co-Chief Executive Officer and General Counsel at Anonos, Global Innovator at the World Economic Forum, former partner at the law firm Hogan Lovells, and former Management Information Consultant at Accenture. Gary’s 35+ years of technical and legal expertise enables him to approach data protection and utility issues from both perspectives. He is a co-inventor of 35+ granted patents and 80+ additional patent assets internationally.

[4] See CJEU case C?252/21.

[5] See CJEU case C?252/21 at paragraph 95.

[6] See CJEU case C?252/21 at paragraph 90.

[7] See CJEU case C?252/21 at paragraphs 91 and 92.

[8] See CJEU case C?252/21 at paragraphs 97 through 99.

[9] See CJEU case C?252/21 at paragraph 105.

[10] See CJEU case C?252/21 at paragraphs 106 and 126.

[11] See CJEU case C?252/21 at paragraph 107.

[12] Recital 47 of the GDPR provides “The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

[13] See CJEU case C?252/21 at paragraphs 108 and 121.

[14] See CJEU case C?252/21 at paragraphs 109 and 121.

[15] See pages 42 and 67 at https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf

[16] See “Primer on Anonymization and Pseudonymization” at https://iapp.org/news/a/looking-to-comply-with-gdpr-heres-a-primer-on-anonymization-and-pseudonymization/

[17] See “Pseudonymization” at https://en.wikipedia.org/wiki/Pseudonymization

[18] See “Is Anonymisation Now a House of Cards?” at https://www.dhirubhai.net/pulse/anonymisation-now-house-cards-magali-feys/

[19] See CJEU case C?252/21 at paragraph 110.

[20] See CJEU case C?252/21 at paragraphs 112 and 116.

[21] See “Is Anonymisation Now a House of Cards?” at https://www.dhirubhai.net/pulse/anonymisation-now-house-cards-magali-feys/

Peter Fatelnig

Minister-Counsellor for Digital Economy Policy at the Delegation of the European Union to Japan

1 年

Excellent, many thanks for putting some clarity into this conversation.

要查看或添加评论,请登录

社区洞察

其他会员也浏览了