The European Data Protection Board (EDPB) has adopted an opinion on the use of personal data for the development and deployment of AI models. This opinion looks at:
- when and how AI models can be considered anonymous;
- whether and how legitimate interest can be used as a legal basis for developing or using AI models; and
- what happens if an AI model is developed using personal data that was processed unlawfully. It also considers the use of first and third-party data.
The opinion was requested by the Irish Data Protection Authority (DPA) with a view to seeking Europe-wide regulatory harmonization. To gather input for this opinion, the EDPB organized a stakeholders’ event and had an exchange with the EU AI Office.
EDPB Chair Talus said: “AI technologies may bring many opportunities and benefits to different industries and areas of life. We need to ensure these innovations are done ethically, safely, and in a way that benefits everyone. The EDPB wants to support responsible AI innovation by ensuring personal data are protected and in full respect of the General Data Protection Regulation (GDPR).”
Anonymity
Regarding anonymity, the opinion says that whether an AI model is anonymous should be assessed on a case-by-case basis by the DPAs. For a model to be anonymous, it should be very unlikely (1) to directly or indirectly identify individuals whose data was used to create the model, and (2) to extract such personal data from the model through queries. The opinion provides a non-prescriptive and non-exhaustive list of methods to demonstrate anonymity.
With respect to legitimate interest, the opinion provides general considerations that DPAs should take into account when they assess if legitimate interest is an appropriate legal basis for processing personal data for the development and the deployment of AI models.
A three-step test helps assess the use of legitimate interest as a legal basis. The EDPB gives the examples of a conversational agent to assist users, and the use of AI to improve cybersecurity. These services can be beneficial for individuals and can rely on legitimate interest as a legal basis, but only if the processing is shown to be strictly necessary and the balancing of rights is respected.
Balancing test
The opinion also includes a number of criteria to help DPAs assess if individuals may reasonably expect certain uses of their personal data. These criteria include: whether or not the personal data was publicly available, the nature of the relationship between the individual and the controller, the nature of the service, the context in which the personal data was collected, the source from which the data was collected, the potential further uses of the model, and whether individuals are actually aware that their personal data is online.
If the balancing test shows that the processing should not take place because of the negative impact on individuals, mitigating measures may limit this negative impact. The opinion includes a non-exhaustive list of examples of such mitigating measures, which can be technical in nature, or make it easier for individuals to exercise their rights or increase transparency.
Finally, when an AI model is developed in breach of data protection regulations, there could be an impact on the lawfulness of its deployment. This will be determined on a case-by-case basis by the DPA.
The EDPB has said that there will be no risk if the AI model has been duly anonymized.
GRIP Comment
Considering the breadth of the request from the Irish DPA, the vast diversity of AI models and their rapid evolution, the opinion is a good first attempt to address the issues raised.
The opinion aims to strengthen the role of the data protection officer by giving guidance on various elements that can be used for conducting a case-by-case analysis within the scope of GDPR.
Organizations are encouraged to adopt a unified compliance strategy to meet the requirements of both the GDPR and the EU AI Act.
In addition, the EDPB is currently developing guidelines covering more specific questions, such as web scraping.
