The guidelines of the EDPS on artificial intelligence (AI) and privacy are addressed to public entities, but will be relevant also for private entities.
The European Data Protection Supervisor (EDPS) has published guidelines on Generative AI, focusing on the relationship between AI and privacy compliance.
On June 3, 2024, the EDPS issued the guidelines on Generative AI, aimed at providing practical recommendations to European institutions on the responsible use of generative artificial intelligence and how this use intersects with data protection regulations. While the document is primarily directed at public bodies, it also offers clear guidance to private entities.
Below are the main points addressed by the EDPS in the Guidelines:
1. How to determine if Generative AI systems involve the processing of personal data?
The processing of personal data in Generative AI can occur at various stages, which may not be apparent at first contact with these systems (e.g., during the training phase). For this reason, the EDPS recommends systematic monitoring throughout all phases of Generative AI implementation to verify whether personal data processing has occurred, necessitating compliance with GDPR.
2. What is the role of the DPO in the design and use of Generative AI?
According to the EDPS, ensuring that these systems comply with GDPR should not be the effort of a single individual, such as the DPO. It requires coordination with the Legal Department, IT Department, and the Local Information Security Officer (LISO) from the early stages of development or implementation of Generative AI systems to ensure compliance with current regulations. The creation of an “AI Task Force” and the preparation of internal procedures and guides can significantly contribute to this goal.
3. When should a DPIA be conducted?
Data protection risks must be identified and addressed throughout the entire lifecycle of the generative AI system. Regular and systematic monitoring is necessary to identify new risks that Generative AI may pose to data subjects as the system evolves.
4. What is the appropriate legal basis for using Generative AI?
The EDPS notes that the processing of personal data via Generative AI must consider the entire lifecycle of the system, impacting legal bases. If processing is based on a legal requirement or public interest, this must be explicitly provided for by European law. Regarding consent, the EDPS believes it can serve as a legal basis only in specific circumstances. For legitimate interest, particularly concerning data collection for training systems, the EDPS refers to the July 4, 2023, decision (C-252/21) regarding Meta, emphasizing the need for particular attention in this area.
5. How can the principle of data minimization be ensured when using Generative AI systems?
Using a large amount of data does not necessarily result in better outcomes with Generative AI systems. The EDPS emphasizes prioritizing the “quality” of data over “quantity” as the most efficient way to ensure the principle of minimization.
6. Is it necessary to inform data subjects when using Generative AI systems?
Yes, if this involves the processing of personal data, it is necessary to provide all the information required
under Article 13 of the GDPR.
7. How to ensure fair processing and avoid bias when using Generative AI systems?
Institutions must adopt procedures to identify and mitigate biases in AI systems, ensuring fair and non-discriminatory data processing. Therefore, the adoption of procedures and best practices aimed at mitigating potential biases should be a priority throughout the lifecycle of the Generative AI system.
8. How to ensure the exercise of data subjects’ rights?
Data controllers are responsible for the processing of personal data through Generative AI systems from their implementation: therefore, it is necessary to adopt technical and organizational measures that, from the outset, ensure data subjects can exercise their rights.
We have developed a legal tech tool to assess the compliance of AI systems with the GDPR, intellectual property laws, the AI Act and ISO standards dedicated to artificial intelligence. You can watch a video of presentation
HERE and contact us to know more.
Also, you can read further articles on the legal implications of generative artificial intelligence
HERE.
(Visited 146 times, 1 visits today)