The EDPS has issued Orientations on generative AI and personal data protection to provide guidance to EU institutions, bodies, offices, and agencies (EUIs) on processing personal data using generative AI systems. These guidelines aim to ensure compliance with Regulation (EU) 2018/1725 (EUDPR). Although the Regulation does not explicitly mention AI, it is essential to interpret and apply data protection principles to safeguard individuals' fundamental rights and freedoms.
Definition of Generative AI
Generative AI, a subset of artificial intelligence, uses machine learning models to produce various outputs such as text, images, and audio. These models, known as foundation models, serve as the core architecture for more specialized models fine-tuned for specific tasks. Foundation models are trained on extensive datasets, including publicly available information, and can handle complex structures like language, images, and audio.
Large language models (LLMs) are specific foundation models trained on vast amounts of text data to generate natural language responses. Applications of generative AI include code generation, virtual assistants, content creation, language translation, speech recognition, medical diagnosis, and scientific research tools.
Use of Generative AI by EUIs
EUIs can develop, deploy, and use generative AI systems for public services, provided they comply with applicable legal requirements and ensure respect for fundamental rights and freedoms. The Regulation applies fully to personal data processing activities involving generative AI, irrespective of the technologies used.
EUIs may use generative AI solutions developed internally or procured from external providers. In such cases, they must determine the specific roles (controller, processor, joint controllership) for processing operations and their implications under the Regulation. Transparency, ethical development, and adherence to a risk-based approach are essential to ensure trustworthy AI.
Identifying Personal Data Processing in Generative AI Systems
Personal data processing can occur at various stages in the lifecycle of a generative AI system, including dataset creation, training, inference, and user interactions. Developers or providers must ensure that personal data is not processed, mainly if anonymized or synthetic data is used. The EDPS cautions against web scraping for data collection, as it may violate data protection principles.
Role of Data Protection Officers (DPOs)
Article 45 of the Regulation outlines the tasks of DPOs, including advising on data protection obligations, monitoring internal compliance, and acting as a contact point for data subjects and the EDPS. In the context of generative AI, DPOs must understand the system's lifecycle, including data processing mechanisms, decision-making processes, and the impact on individuals' rights. They should also advise on Data Protection Impact Assessments (DPIAs) and ensure transparency and documentation of processing activities.
Conducting DPIAs for Generative AI Systems
A DPIA is required before processing operations that likely involve high risks to individuals' rights and freedoms, particularly when using new technologies like generative AI. The DPIA should assess risks, document mitigation actions, and ensure data protection compliance by design and default principles. Controllers must consult the EDPS if reasonable measures cannot mitigate risks.
Lawfulness of Personal Data Processing
The processing of personal data in generative AI systems must be based on one of the lawful grounds listed in the Regulation. For special categories of data, an exception under the Regulation must apply. Legal grounds include performing tasks in the public interest or complying with legal obligations. Consent may be used but must meet specific legal requirements. EUIs must ensure that providers comply with data protection principles, especially when using legitimate interest as a legal basis.
Principle of Data Minimization
Data minimization requires that personal data processing is limited to what is necessary for the purposes. This principle applies throughout the lifecycle of the AI system. EUIs must use high-quality, well-curated datasets and implement technical procedures to minimize data use.
Data Accuracy
Data controllers must implement measures to ensure data accuracy, including verifying dataset content, regular monitoring, and human oversight. Contractual assurances from third-party providers on data accuracy procedures are necessary. Despite efforts, generative AI systems may still produce inaccurate results, necessitating careful data accuracy assessment.
Informing Individuals about Data Processing
EUIs must provide clear and comprehensive information to individuals about personal data processing in generative AI systems. This includes details about data sources, processing activities, and the logic of automated decisions. Transparency policies help mitigate risks and ensure compliance. Data protection notices should be regularly updated to reflect changes in data processing activities.
Automated Decision-Making
Generative AI systems may involve automated decision-making, requiring compliance with Article 24 of the Regulation. EUIs must ensure safeguards for individuals, including the right to human intervention, to express their views, and to contest decisions. The use of AI in decision-making must be carefully considered to avoid unfair, unethical, or discriminatory outcomes.
Ensuring Fair Processing and Avoiding Bias
Bias in generative AI systems can arise from training data, algorithms, or developers. Biases can lead to unfair processing and discrimination, affecting individuals' rights and freedoms. EUIs must ensure datasets are representative and implement accountability mechanisms to monitor and correct biases. Regular testing and validation help identify and mitigate bias.
Exercising Individual Rights
Generative AI systems present challenges for exercising individual rights, such as access, rectification, erasure, and objection. Proper dataset management and traceability support the exercise of these rights. Data minimization techniques can mitigate risks associated with managing individual rights. EUIs must implement measures to ensure the effective exercise of individual rights throughout the AI system lifecycle.
Data Security
Generative AI systems may pose unique security risks, requiring specific controls and continuous monitoring. EUIs must implement technical and organizational measures to ensure data security, including regular risk assessments and updates. Security measures should address known vulnerabilities and evolving threats.
Conclusion
The EDPS Orientations provide a framework for EUIs to develop, deploy, and use generative AI systems while ensuring compliance with data protection principles under the Regulation. Adherence to data protection by design and by default, transparency, accountability, and continuous monitoring are essential to safeguard individuals' rights and freedoms.
Prokopiev Law Group is well-equipped to ensure your compliance with evolving Web3 regulations, leveraging our extensive global network of partners. We offer expert guidance on issues such as decentralized finance (DeFi) regulations, NFT legal frameworks, smart contract governance, and cross-border crypto-asset reporting standards. Please contact us for comprehensive advice on navigating the complex regulatory landscape of Web3, including matters like the FATF Travel Rule, MiCA in the EU, and on-chain dispute resolution mechanisms. Our expertise spans worldwide jurisdictions, ensuring compliance wherever your operations are based. Please write to us for tailored solutions to your Web3 legal needs.
The information provided is not legal, tax, investment, or accounting advice and should not be used as such. It is for discussion purposes only. Seek guidance from your own legal counsel and advisors on any matters. The views presented are those of the author and not any other individual or organization. Some parts of the text may be automatically generated. The author of this material makes no guarantees or warranties about the accuracy or completeness of the information.
Comments