The European Data Protection Supervisor (EDPS) recently published initial guidance on the use of generative artificial intelligence (Generative AI, GAI). It is primarily aimed at EU institutions. However, the data protection obligations it contains for generative AI can also be useful for companies.
Data protection tips for generative AI
The guide aims to provide practical advice on the processing of personal data in connection with the use of PII systems. The aim is to ensure that such systems are used in a data protection-friendly manner without infringing the fundamental rights of the data subjects.
The good news right at the beginning of the guide is that all EU institutions can develop and use their own generative AI solutions. Alternatively, they can also use solutions available on the market for their own use. Only the legal framework conditions must be complied with.
The guidelines emphasize the need for careful risk assessment and continuous monitoring when using AI systems. This concerns, among other things, minimizing data collection and ensuring data accuracy. In addition, safeguarding the rights of data subjects, such as the right to access, rectify or erase their data.
The role of the data protection officer (DPO) is particularly emphasized. He or she must ensure that the GAI systems comply with data protection requirements.
In addition, the institutions must take technical and organizational measures to ensure data security and prevent misuse by third parties.
Permissibility of processing personal data in AI systems
The guidance explicitly points out that providers of generative AI models can claim a legitimate interest under the General Data Protection Regulation as a legal basis for data processing. This applies in particular to the collection of data used for the development of the system, including the training and validation processes.
The ECJ has defined three conditions for the processing of personal data to be lawful:
- the pursuit of a legitimate interest by the controller (or by a third party);
- the necessity of processing personal data for the purposes of the legitimate interest pursued;
- The interests or fundamental freedoms and rights of the data subject shall not override the legitimate interest of the controller (or a third party).
However, the EDPS acknowledges this: In the case of data processing by generative AI systems, many circumstances can influence the balancing process. This can lead to legal uncertainty for both data subjects and controllers.
Reading tip: AI Act came into force on August 1 - here's what happens next!
Transparency and fairness in the use of GAI systems
The guidance emphasizes the importance of transparency in informing data subjects about the processing of their data by generative AI systems. Institutions must provide clear and comprehensive information about the data sets used, how the algorithms work and the potential impact on data subjects.
In addition, precautions must be taken to ensure that GAI systems operate fairly and without discriminatory bias. This requires regular review and adjustment of the systems to identify and correct distortions.
Conclusion: The use of Generative AI offers numerous opportunities for the EU institutions, but requires careful attention to data protection requirements. The guidelines published by the EDPS are a first step to ensure the data protection compliant use of these technologies. The EDPS intends to refine and expand these guidelines over time to meet the ever-changing challenges.
Source: First EDPS Orientations for ensuring data protection compliance when using Generative AI systems