Written by: Haim Ravia, Dotan Hammer
The European Data Protection Board (EDPB) issued a detailed opinion on privacy implications for AI models under the GDPR. The opinion outlines key considerations including the application of the GDPR to AI Models trained on personal data, the applicability of the “legitimate interest” legal basis for training AI models on personal data, and the implications for AI models unlawfully trained on personal data.
The EDPB opined that an AI model can be considered anonymous, and not subject to the GDPR, only when personal data cannot be extracted out of the model, and any output produced does not relate to the data subjects. Supervisory authorities should consider factors such as the characteristics of the training data, the model itself, and the training process. Additionally, regulators emphasize the need to assess the availability of external data that could potentially allow for the inference or identification of individuals and the resources required for such an effort.
Using AI models unlawfully trained on personal data, while having knowledge of breaches in the training process, will be considered unlawful. A data controller not involved in the model training may legally use such a model if they can demonstrate that they conducted an appropriate assessment to ascertain that the AI model was not developed by unlawfully processing personal data. However, the use of the AI model by the AI developer will be deemed a continuation of their original unlawful processing in the training phase.
The opinion also clarifies how data controllers may rely on the legitimate interest legal basis to train and use AI models. The opinion reiterated the standard process of asserting processing legality on legitimate interest: identifying and documenting the legitimate interest, demonstrating its necessity, and ensuring proportionality to data subjects’ rights and freedoms. When investigating this process in the context of AI models, regulators are instructed to examine the nature of the model, its intended operational uses, the amount and types of data processed for training, and the technical safeguard implemented, on a case-by-case basis.
Click here to read the full opinion of the EDPB on certain data protection aspects related to the processing of personal data in the context of AI models.
