EU Opens Door for AI Training Using Personal Data


Using personal data without consent to train AI models will not necessarily infringe the EU’s General Data Protection Regulation (GDPR), according to a new opinion by the European Data Protection Board (EDPB).

However, this is on the condition that the AI tool’s output does not reveal personal information.

This is, in substance, what the EDPB, the umbrella organization for all EU member states’ data protection agencies, said in the long-awaited opinion on how GDPR should apply to AI models, published on December 18.

The document was requested by the Irish Data Protection Authority (DPC) in September with a view to seeking Europe-wide regulatory harmonization.

The DPC asked the EDBP to answer the following question: “Is the final AI Model, which has been trained using personal data, in all cases, considered not to meet the definition of personal data (as set out in Article 4(1) GDPR)?”

AI Models’ GDPR Compliance, a Case-by-Case Question

While the Board agreed that the development and deployment of AI models raises fundamental data protection questions, it considered some categories of personal data (e.g. when “individuals are aware that their personal data is online”) can be used for AI training without violating GDPR.

“If it can be demonstrated that the subsequent operation of the AI model does not entail the processing of personal data, the EDPB considers that GDPR would not apply,” the document reads.

Nevertheless, the EDPB noted that personal data used to train AI models cannot always be considered anonymous.

The EDPB pledged to conduct a case-by-case analysis of AI models because a model processing personally identifiable information (PII) should not always be considered in violation of GDPR nor considered compliant.

This analysis should include a thorough evaluation of the risks of identifying PII and AI developers and integrators should ask:

  • Was the personal data publicly available?
  • What is the nature of the relationship between the data subject and the controller?
  • What is the nature of the service?
  • What is the context in which the personal data was collected?
  • What is the source of the data (i.e., the website or service where the personal data was collected and the privacy settings they offer)?
  • What are the potential further uses of the model?
  • Were data subjects actually aware that their personal data is online at all identification?

In case an AI model has been found to have been created, updated or developed using unlawfully processed personal data, the EDPB noted that another controller deploying that model would need to carry out an appropriate assessment to confirm whether the alleged non-compliant AI model was lawfully developed. 

The assessment should take account of the risks raised in the deployment phase in terms of the level of detail. It should also look at the source of the personal data and whether the processing in the development phase was subject to a finding of infringement.

The EDPB response was welcomed by the Irish DPC, with Agency Commissioner, Dale Sunderland, saying it will enable proactive, effective and consistent regulation across the EU/EEA, giving greater clarity and guidance to industry, while also promoting responsible innovation.

“It will also support the DPC’s engagement with companies developing new AI models before they launch on the EU market as well as the handling of the many AI related complaints that have been submitted to the DPC,” he added.

Noyb, the Austria-based European Center for Digital Rights, has filed several complaints against generative AI developers, such as OpenAI and Meta, claiming their AI training processes violated GDPR.





Source link

Leave a Comment