Current Buzz Spot

Unwrapping the EDPB's Guidance on AI models and Data Protection


Unwrapping the EDPB's Guidance on AI models and Data Protection

The European Data Protection Board's (EDPB) Opinion 28/2024, published on 18 December, 2024, offers a useful analysis of data protection issues linked to artificial intelligence (AI) models. With AI's rapid evolution, this guidance is pivotal for businesses and regulators alike, particularly in terms of balancing innovation with fundamental rights under the General Data Protection Regulation (GDPR).

Why This Opinion Matters

The Irish Data Protection Commission (DPC) requested an opinion from the EDPB on applying the GDPR to AI models, specifically focusing on data protection concerns arising from the training and use of AI models. The EDPB responded with this opinion document, providing guidance to Supervisory Authorities (SAs) on interpreting GDPR provisions in the context of AI models. As AI increasingly relies on personal data for training and deployment, the risks to data subjects' rights have become significant. Issues such as data inference, extraction vulnerabilities, and web-scraped content necessitate a unified EU stance on regulatory enforcement.

The EDPB confronts the difficult question of when AI models can be considered anonymous. It suggests that a case-by-case assessment is essential, focusing on whether personal data can be inferred or extracted.

The Board outlines two criteria that must be satisfied for an AI model to be considered anonymous under the GDPR:

Without meeting these conditions, an AI model is not anonymous, and the GDPR applies. The opinion underscores that claims of anonymity require robust documentation, including Data Protection Impact Assessments (DPIAs), technical safeguards, and contextual risk assessments.

Legitimate Interest as a Legal Basis

The opinion clarifies how "legitimate interest" may justify personal data processing for AI. Controllers must pass a strict three-step test:

Mitigating measures -- such as pseudonymisation, transparency, and mechanisms to enable data subject opt-outs -- can help controllers justify this legal basis.

Unlawfully Processed Data and Its Consequences

The EDPB highlights the risks of using unlawfully processed personal data to train AI models, offering scenarios to illustrate regulatory implications:

These scenarios reinforce the need for stringent due diligence when sourcing training data and demonstrate that anonymisation is not a panacea for past non-compliance.

Supervisory Authorities' Role

The EDPB tasks SAs with case-by-case evaluations of AI models, requiring them to assess lawfulness, impose corrective measures where needed, and guide organisations in adopting compliant practices. SAs must consider factors like the characteristics of training data, the AI system's context, and available technologies when enforcing the GDPR.

SAs are equipped with extensive powers to enforce GDPR compliance in the context of AI models. They have the authority to investigate whether the processing of personal data complies with the regulation, examining the practices and safeguards implemented by controllers.

If violations are identified, SAs can impose a range of corrective measures. These include levying significant fines, imposing temporary or permanent restrictions on data processing activities, and, in severe cases, ordering the deletion of unlawfully processed data or even the destruction of an entire AI model that was developed using such data.

These powers enable SAs to uphold data protection standards and ensure accountability in AI development and deployment.

Mitigating Measures for Controllers

To align with the GDPR, organisations developing or deploying AI models should consider implementing:

Looking Ahead

The EDPB recognises the need for ongoing guidance as AI technologies evolve. Future updates are expected to address niche issues, such as web scraping and Application Programming Interfaces (APIs), providing further clarity for organisations navigating this complex terrain.

Conclusion

The EDPB's Opinion 28/2024 offers a robust framework for applying the GDPR to AI models, addressing core issues like anonymity, lawful processing bases, and regulatory consequences for non-compliance. By insisting on rigorous documentation, context-specific assessments, and proactive mitigating measures, the Board sets clear expectations for businesses developing AI technologies. This opinion is a reminder that innovation in AI must not come at the expense of privacy and accountability -- a principle that will guide Europe's AI future.

Previous articleNext article

POPULAR CATEGORY

business

3475

general

4551

health

3443

sports

4669