Introduction

On December 18, 2024 [6] [9] [10] [11], the European Data Protection Board (EDPB) released Opinion 28/2024 [1] [2] [3] [6] [9] [10] [11], which addresses significant data protection issues related to the processing of personal data in the context of artificial intelligence (AI) model development and deployment under the General Data Protection Regulation (GDPR). The Opinion explores whether AI models can be considered anonymous and if legitimate interests can serve as a lawful basis for processing personal data in AI contexts [10].

Description

On December 18, 2024 [6] [9] [10] [11], the European Data Protection Board (EDPB) released Opinion 28/2024 [1] [2] [3] [6] [9] [10] [11], addressing critical data protection issues related to the processing of personal data in the context of artificial intelligence (AI) model development and deployment under the General Data Protection Regulation (GDPR). The Opinion primarily explores two key questions: whether an AI model can be considered anonymous and if legitimate interests can serve as a lawful basis for processing personal data in AI contexts [10]. This Opinion was developed in response to inquiries from the Irish Data Protection Commission regarding several key areas [6] [11].

A significant finding is that AI models trained on personal data cannot be automatically deemed anonymous; instead [3], a case-by-case analysis is essential to evaluate the probability of direct or probabilistic extraction of personal data and the likelihood of obtaining such data through queries [6] [8]. For a model to be considered anonymous and exempt from GDPR [5], the risk of personal data extraction must be minimal [1], characterized as “insignificant.” Organizations claiming their models are anonymous must maintain comprehensive documentation of the technical and organizational measures implemented throughout the model’s lifecycle [10], including thorough assessments of re-identification risks and any Data Protection Impact Assessments (DPIAs). Supervisory authorities are advised to evaluate factors such as the characteristics of the training data [5], the model itself [5] [8] [10], and the training process [4] [5], as well as the potential for external data to enable individual identification [5]. The criteria for establishing anonymity are stringent, posing challenges for data controllers in upholding data subjects’ rights [4]. To demonstrate the anonymity of their AI models [8] [11], the EDPB recommends various methods [8], including robust anonymization techniques [3], thorough documentation [1] [4], limiting data collection [1] [7] [9], and enhancing resistance to data extraction [1] [9].

The Opinion outlines a framework for assessing the use of legitimate interest as a legal basis for processing personal data in AI contexts [9], reiterating the three-part test from Article 6(1)(f) of the GDPR [10]. This framework consists of identifying a legitimate interest that is lawful, clearly articulated [9], and real; conducting a necessity test to determine if processing is essential for pursuing that interest; and performing a balancing test to weigh the interests of data subjects against the legitimate interest. Examples of legitimate interests include developing user assistance tools, improving threat detection [9] [10], detecting fraudulent behavior [10], and applications such as conversational agents and AI-driven cybersecurity enhancements [8] [11]. The EDPB acknowledges the potential for relying on legitimate interests for the development and deployment of AI models [4], including the use of personal data obtained through web-scraping [4], which also necessitates a case-by-case evaluation [4].

The necessity test examines whether less intrusive means are available and emphasizes that processing should be proportionate and aligned with data minimization principles [9]. The processing of personal data can impact data subjects’ interests and fundamental rights [9], including privacy and freedom of expression [9]. The EDPB notes that the risks associated with processing can vary based on the nature of the data and the context [9], with potential positive impacts such as improved service accessibility, alongside negative risks like identity theft or discrimination [9].

Reasonable expectations of data subjects play a crucial role in the balancing test [9], influenced by factors such as the public availability of the data [8], the relationship between the data subject and the controller [6] [8] [11], the nature of the service [6] [8] [11], the context of data collection [6] [8] [9] [11], the source of the data [6] [8] [9] [11], potential future uses of the AI model [6] [8] [11], and the data subject’s awareness of their data being online [6] [8] [11]. If the rights of data subjects outweigh the legitimate interest, controllers may need to implement mitigating measures [9], such as pseudonymization and enhanced transparency [9]. Controllers are advised to tailor their measures to the specific risks associated with AI models [3], adopting privacy-preserving techniques and conducting comprehensive testing to ensure compliance with GDPR principles and the upcoming EU Artificial Intelligence Act.

The EDPB emphasizes that the use of legitimate interest must be justified through the three-step test. If personal data is retained in an AI model [9] [11], the lawfulness of subsequent processing depends on whether the initial processing had a legal basis [9]. In cases where another controller processes the data [9], they must assess the legality of the original data processing [9]. The Opinion also addresses the implications of unlawfully trained AI models [8], clarifying that the use of AI models that have been unlawfully trained on personal data [5], with knowledge of such breaches [5], is considered illegal [5]. However, a data controller not involved in the training may use the model if they can prove they conducted a proper assessment to ensure the model was not developed through unlawful data processing [5]. In contrast [5], the AI developer’s use of the model will be viewed as a continuation of the original unlawful processing [5].

The Opinion underscores the need for due diligence by parties acquiring AI models [4], particularly regarding the original processing activities of developers [4]. Controllers deploying third-party models should perform due diligence to ensure lawful development and consider contractual protections for potential legal issues arising from unlawful models [7]. Organizations using AI models developed with unlawful processing of personal data may face liability [10], highlighting the importance of thorough due diligence and documentation to mitigate potential regulatory risks and ensure compliance with broader data protection obligations.

Best practices include designing AI models to prevent personal data extraction [9], conducting thorough necessity tests [9], implementing risk mitigation measures [7] [9], maintaining detailed documentation [9], and regularly reviewing data protection practices to ensure compliance with GDPR [9]. These measures promote responsible innovation while safeguarding the rights of data subjects and mitigating potential legal and reputational risks. Overall, the Opinion raises critical questions about the application of GDPR principles to AI models [4], particularly concerning anonymity [4], legitimate interests [3] [4] [5] [6] [7] [8] [9] [10] [11], and the responsibilities of data controllers in ensuring compliance throughout the model lifecycle [4]. The complexities of AI technologies necessitate aligning innovation with data protection laws [1], emphasizing the importance of thorough [1], case-by-case assessments [1] [4] [10], accountability [1] [3], and transparency to protect data subjects’ rights while enabling the lawful use of AI models [1].

Conclusion

The EDPB’s Opinion 28/2024 has significant implications for the development and deployment of AI models under GDPR. It highlights the challenges of ensuring anonymity and the careful consideration required when relying on legitimate interests as a legal basis for processing personal data. The Opinion underscores the importance of due diligence, comprehensive documentation [5] [10], and adherence to data protection principles to mitigate legal and reputational risks. As AI technologies continue to evolve, aligning innovation with data protection laws remains crucial to safeguarding data subjects’ rights and ensuring lawful AI model usage.

References

[1] https://www.datenschutz-notizen.de/edpb-issues-opinion-on-personal-data-processing-by-ai-models-2951399/
[2] https://nquiringminds.com/ai-legal-news-summaries/6e816ad0fe6903295f0e28e23efe9016/
[3] https://ivlawfirm.com/en/analysis-of-edpb-s-opinion-on-ai-and-data-protection/
[4] https://www.gibsondunn.com/unboxing-the-edpb-opinion-on-ai-models/
[5] https://www.pearlcohen.com/european-privacy-regulators-opine-on-personal-data-processing-in-ai-model-training/
[6] https://www.lexology.com/library/detail.aspx?g=5e028ff2-86d4-44ad-bc6d-9e9a0312b134
[7] https://hintzelaw.com/blog/2025/1/8/the-edpb-releases-an-opinion-on-ai-model-development-and-deployment
[8] https://www.huntonak.com/privacy-and-information-security-law/edpb-publishes-opinion-on-processing-of-personal-data-in-the-context-of-ai-models
[9] https://www.jdsupra.com/legalnews/european-data-protection-board-releases-5357780/
[10] https://www.lexology.com/library/detail.aspx?g=ff38e163-f490-4d40-aeda-53e8f73dfcd4
[11] https://natlawreview.com/article/edpb-publishes-opinion-processing-personal-data-context-ai-models