Introduction
On December 18, 2024 [1] [10], the European Data Protection Board (EDPB) released Opinion 28/2024 [1] [3] [6] [8] [9] [10], which provides clarity on the application of the EU General Data Protection Regulation (GDPR) to the processing of personal data in the development and deployment of artificial intelligence (AI) models. This opinion [1] [2] [3] [5] [6] [8] [9] [10], requested by the Irish Data Protection Commission (DPC) [3] [7] [10], aims to ensure harmonized compliance across Europe, emphasizing transparency and accountability in managing personal data within AI systems. It addresses critical issues such as anonymity, legitimate interest [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], and the consequences of using unlawfully processed data [3] [6] [9].
Description
The EDPB asserts that data incorporated into AI model parameters may still be classified as personal data [4], thus subjecting it to GDPR regulations [4]. It highlights that merely removing direct identifiers does not guarantee true anonymity; a thorough case-by-case analysis is essential, as even aggregated data can be vulnerable to re-identification attacks [5]. If identifiable information can be extracted from an AI model [4], it cannot be considered anonymous [3] [9]. AI developers must ensure that the likelihood of identifying individuals from the model is negligible [4], necessitating a comprehensive evaluation of potential identification methods [4]. The opinion provides a non-prescriptive list of methods for controllers to demonstrate anonymity [9] [10], underscoring the importance of robust anonymization measures to mitigate risks and uphold privacy protections in AI applications [3].
To assess the necessity and proportionality of processing personal data in AI contexts, the EDPB outlines a three-step assessment process for Data Protection Authorities (DPAs) [8]. This process involves evaluating the purpose and necessity of the processing [2], ensuring it is lawful and specific [2], and exploring less intrusive alternatives [2] [6]. The opinion illustrates potential scenarios, such as virtual assistants and AI applications in cybersecurity [8], where legitimate interest may apply [3] [8], provided they meet strict necessity and rights balancing criteria [9].
Key aspects highlighted include data minimization [1], transparency in AI model lifecycle management [1], and the implementation of governance practices such as regular audits [1], training [1] [3] [4] [6] [7] [10], and documentation [1] [5]. The EDPB establishes criteria for assessing whether individuals can reasonably expect their data to be utilized in AI systems [3], considering factors such as data availability, the relationship between the individual and the data controller [3] [8] [9], and the context of data collection [3] [8] [9].
The opinion also addresses the implications of using unlawfully processed personal data in AI model development [9], warning that such practices could lead to non-compliance with GDPR upon deployment. If a controller unlawfully processes personal data for AI model development but subsequently anonymizes the data before further processing [10], the GDPR would not apply, potentially safeguarding the legality of the model’s deployment. The EDPB Chair [1] [3] [8] [9], Anu Talus [1], emphasized the importance of balancing innovation in AI technologies with respect for fundamental rights and ethical principles [1]. If the balancing test indicates that processing could negatively impact individuals [9], appropriate mitigating measures may be necessary to alleviate such impacts [9]. These measures can include technical solutions for model anonymity [2], pseudonymization [2] [5], data masking [2] [8], enabling opt-out rights [2], and enhancing transparency [2] [3].
Policymakers are urged to adapt European data protection law to better facilitate AI development [4], particularly in light of the EDPB’s insights regarding the application of GDPR to AI data processing. Organizations are encouraged to identify a legitimate interest that is concrete and lawful [5], ensuring that the rights of data subjects are not overridden [5]. The concept of ‘legitimate interest’ has been contentious [4] [6], with ongoing discussions in the UK Parliament regarding its applicability to AI-related data processing [4]. Proponents argue that AI innovation serves a social good [4], while critics highlight potential risks to privacy and the spread of misinformation [4].
The EDPB’s guidance [3] [4] [6], while not legally binding [6], significantly influences the enforcement of privacy laws in the EU [6]. Companies face fines of up to €20 million or 4% of their annual turnover for GDPR violations [6], and they may be required to alter or delete non-compliant AI models [6]. AI companies face challenges in complying with GDPR due to the extensive personal data required for training models [6], often sourced from public databases [6]. This complicates lawful data processing and the handling of data subject requests [6]. In January 2024 [6], Italy’s data protection authority accused OpenAI’s ChatGPT of GDPR violations for processing personal data without a legal basis [6], resulting in a temporary suspension [6]. Additionally, the advocacy group noyb filed a complaint against OpenAI [6], alleging that ChatGPT provided inaccurate information about individuals without offering correction mechanisms [6].
The EDPB’s guidance emphasizes a case-by-case approach to assess whether AI models unlawfully process personal data [7], involving a two-part test: first [7], evaluating the likelihood of personal data extraction from the model’s development [7], and second [7], determining if the chance of obtaining personal data through model queries is negligible [7]. It reiterates the necessary tests for the concept of legitimate interest as a legal basis for processing, while highlighting AI-specific risks to fundamental rights during model development and deployment [7] [10]. The guidance underscores the importance of data subjects’ reasonable expectations regarding their personal data processing [7], urging Data Controllers to consider data sources [7], collection methods [3] [7], and individuals’ awareness of data usage [7], particularly in the context of web scraping [6] [7].
Consequences for unlawfully training AI models with personal data are outlined [7], noting that regulatory authorities in the EU have discretion in enforcement actions [7], which may include fines [7], processing limitations [2] [7], or the erasure of unlawfully processed data and the AI model itself [7]. The guidance presents scenarios regarding the division of responsibilities in AI model creation and deployment [7], indicating that regulatory responses will be case-specific [7], with risks for both data processors and deployers [7]. The authority of regulators to act against the creation of AI models [7], including those claiming anonymization [7], is affirmed [7], calling for transparency in AI development and necessitating access to detailed information about the inputs [7], processes [2] [3] [5] [6] [7] [8] [9] [10], and outputs of AI models [7]. Regular testing and updates of AI models against known attacks are necessary to demonstrate a commitment to privacy and security [5], while documentation [1] [5], including Data Protection Impact Assessments (DPIAs) [5], is essential for demonstrating compliance [5].
For AI models processing special categories of data [5], stricter GDPR rules apply [5], necessitating valid exemptions or explicit consent [5]. Transparency and human oversight are critical for systems that significantly impact individuals [5], requiring clear explanations of decision-making processes and avenues for individuals to challenge decisions [5]. The EDPB promotes harmonization across EU/EEA jurisdictions while recognizing the uniqueness of each AI model [5], necessitating tailored compliance strategies [5]. Organizations should perform DPIAs regularly [5], choose legal bases carefully [5], implement privacy-enhancing techniques [5], maintain detailed documentation [5], test for vulnerabilities [5], ensure transparency [1] [3] [4] [5] [6] [7] [9], and stay informed about regulatory updates [5]. The opinion sets a foundation for balancing innovation with data protection [5], highlighting the importance of privacy-by-design and ongoing audits in fostering trust and compliance in the evolving landscape of AI technologies [5].
Conclusion
The EDPB’s Opinion 28/2024 serves as a crucial guide for harmonizing GDPR compliance in AI development across Europe. It underscores the importance of transparency [7], accountability [3] [5], and robust anonymization measures in AI systems. By addressing the challenges of processing personal data in AI contexts, the opinion provides a framework for balancing innovation with fundamental rights and ethical principles. Organizations are encouraged to adopt comprehensive governance practices, ensuring that AI technologies are developed and deployed in a manner that respects privacy and complies with regulatory standards.
References
[1] https://www.jdsupra.com/legalnews/the-european-data-protection-board-5534435/
[2] https://techcrunch.com/2024/12/18/eu-privacy-body-weighs-in-on-some-tricky-genai-lawfulness-questions/
[3] https://www.techmonitor.ai/digital-economy/ai-and-automation/edpb-ai-data-guidance-harmonise-gdpr-compliance
[4] https://www.pinsentmasons.com/out-law/news/edpb-opinion-gdpr-ai-adaptability
[5] https://www.gamingtechlaw.com/2024/12/edpb-opinion-on-ai-model-training-how-to-address-gdpr-compliance/
[6] https://www.techrepublic.com/article/eu-guidance-ai-privacy-laws/
[7] https://www.mcgarrsolicitors.ie/2024/12/18/overview-on-edpb-opinion-28-2024-on-personal-data-in-ai-models/
[8] https://cnpd.public.lu/en/actualites/international/2024/12/edpb-avis-ai.html
[9] https://www.edpb.europa.eu/news/news/2024/edpb-opinion-ai-models-gdpr-principles-support-responsible-ai_en
[10] https://legacy.dataguidance.com/news/eu-edpb-releases-opinion-personal-data-processing
