The European Data Protection Board (EDPB) has adopted an opinion on the use of personal data in developing and deploying AI models.
The opinion deals with 3 aspects:
When and how AI models are anonymous.
Whether and how legitimate interest can be a basis for developing and using AI models.
What happens if personal data has been used in the development of an AI model that has been unlawfully processed. And what about "first party" and "third party" data.
Privacy regulators must consider whether an AI model is anonymous on a case-by-case basis. With an anonymous AI model, it must be highly unlikely that:
Directly or indirectly identify the individuals whose data were used to create the AI model.
The personal data can be extracted from the model again with 'queries'.
In the opinion, the EDPB explains how organizations and regulators can verify that an AI model is anonymous.
With examples and criteria, the advisory helps regulators and organizations determine whether legitimate interest can be a basis for processing personal data when developing and using AI models. Consider chat help or AI to enhance online security. Such services may be convenient for people and may be possible on the basis of legitimate interest. But only if the processing is strictly necessary and there is a proper balancing of interests. In addition, people must have a reasonable expectation that their personal data will be used for this purpose.
Does the assessment show that the processing has too great a (negative) impact on people? The advisory contains examples of measures organizations can then take to reduce the impact.
Finally, the opinion addresses AI models developed with unlawfully processed personal data. In such a case, use of the model is likely to be prohibited unless the model is properly anonymized.
The opinion came about following a request from the Irish regulator, the Data Protection Commission (DPC). Subsequently, the EDPB sought input from stakeholders in the field, including the EU AI Office.
Because of the many different and rapidly evolving AI models, the advisory provides guidance for conducting a case-by-case analysis.
In addition, the EDPB is working on guidelines that answer more specific questions, such as scraping.
The Personal Data Authority (AP) is one of the privacy regulators in the EDPB.
