Towards the end of 2024, the European Data Protection Board (“EDPB”) published an Opinion 28/2024, on the processing of personal data in the context of developing and deploying Artificial Intelligence (“AI”) models. The Opinion was requested by the Irish Data Protection Commission (“DPC”) in light of the fact that while many organisations are now using AI models, their operation, training and use raise a number of wide-ranging data protection concerns, impacting data subjects across the EU/EEA. In particular, the interpretation and application of the fair, transparent and lawful processing principle and related obligations to AI models raises “systemic, abstract and novel issues.”
Whilst the Opinion is helpful, it does not provide the definitive guidance which many businesses were hoping for. There is still much legal uncertainty, as the Opinion emphasises the need for case-by-case assessments, and highlights the importance of accountability and record-keeping. However, in light of the principles-based and risk-based approach to data protection advocated by the GDPR, it was arguably difficult for the EDPB to be more definitive in its Opinion.
Unfortunately, as the Opinion was limited in scope to the questions asked by the DPC, the Opinion does not engage in any depth with a number of challenging GDPR compliance issues for AI model development and deployment, in particular, the processing of special categories of personal data; automated decision-making (including profiling); Data Protection Impact Assessments (“DPIAs”); compliance with the purpose limitation principle, and data protection by design.
Scope of Opinion
The EDPB Opinion is limited to providing responses to the three questions asked by the DPC pursuant to Article 64(2) GDPR. These questions, in short, included:
(1) When and how can AI models be considered anonymous?
(2) Is “legitimate interests” an appropriate legal basis for the development and deployment of an AI model?
(3) If an AI model has been found to have been created, updated or developed using unlawfully processed personal data, how does this impact the subsequent use of that AI model?
The Opinion has been welcomed by the DPC, who noted that it provides guidance which will benefit Supervisory Authorities across the EU / EEA in regulating the responsible development and deployment of AI models and providing a harmonised position for all Supervisory Authorities to take account of.
The EDPB further plans to issue guidelines on anonymisation and data scraping in the context of generative AI, which should provide further clarity on these issues.
Question 1 – Anonymity of AI Models
In the EDPB’s view, AI models cannot automatically be considered anonymous once deployed. Their anonymity must be assessed on a case-by-case basis.
For an AI model to be considered anonymous, the likelihood of: (i) extracting any personal data relating to individuals whose personal data were used to train the model or (ii) obtaining such personal data (whether intentionally or not) when querying the model, must be insignificant, taking into account “all means reasonably likely to be used” by the controller or another person to identify individuals. To date, we have seen the Court of Justice of the European Union (“CJEU”) interpreting the concept of ‘personal data’ extremely broadly. Accordingly, the bar for anonymisation of AI models is set very high.
It will be essential for AI developers and / or deployers to ensure they can produce robust evidence to Supervisory Authorities, on request, supporting the limited risk of re-identification, including through a DPIA. In addition, a controller should ensure its documentation includes, inter alia, any advice or feedback provided by its Data Protection Officer (where applicable), as well as any information on the technical and organisational measures taken whilst designing the AI model to reduce the likelihood of identification.
The EDPB flags that a Supervisory Authority’s assessment as to whether an AI model is anonymous may differ depending on the context of development and deployment of the model. For example, Supervisory Authorities may consider different levels of testing and resistance to attacks in respect of a publicly available AI model which is accessible to an unknown number of people with an unknown range of methods to try and extract personal data, versus an internal AI model which is accessible only to employees.
Question 2 – Legitimate Interests as a Legal Basis
The EDPB recalls that there is no hierarchy between the legal bases provided by the GDPR, and that it is for controllers to identify the appropriate legal basis for their processing activities. However, the EDPB confirms that, in principle, a developer and/or deployer, acting as a controller, can rely on legitimate interest as a legal basis for processing personal data, subject to a case-by-case assessment being undertaken.
Three-step test for relying on Legitimate Interests
In line with CJEU case-law, and recent draft EDPB Guidelines 1/2024 on legitimate interests (previously discussed here), the EDPB highlights the need conduct a three-step test prior to invoking legitimate interests as a legal basis for processing personal data. This three-step test includes:
- Identifying the legitimate interest pursued by the controller or a third party;
- Assessing the necessity of the processing for the legitimate interest pursued; and
- Carrying out a balancing test confirming that data subjects’ fundamental rights and freedoms do not override the legitimate interests of the controller or a third party.
A controller’s assessment of the above should be documented in a Legitimate Interests Assessment (“LIA”). In addition, the assessment should document any mitigation measures taken by the controller which help tip the balancing test in their favour.
Whilst meeting the first condition should be straightforward, controllers will likely find it more challenging to meet the necessity and balancing requirements. The EDPB flags, in particular, that the processing should be within data subject’s “reasonable expectations” in order to satisfy the balancing test (in line with Recital 47 GDPR). The more indiscriminate and wide-spread the processing, such as obtaining personal data via web-scraping, the less likely it is within data subjects’ reasonable expectations.
The EDPB emphasises that mere fulfilment of the transparency requirements in Articles 13 and 14 GDPR does not in itself mean that data subjects can “reasonably expect” their data to be processed for AI model development and / or deployment purposes.
Accordingly, it will likely be difficult (albeit not impossible) for controllers to rely on legitimate interests for mass web-scraping and other forms of third party data collection.
Mitigation measures to help tip balance in favour of Controller
The EDPB outlines a non-exhaustive list of mitigation measures which controllers can implement to help tip the balancing test in their favour when processing personal data in the development or deployment phases, and enable them to justify reliance on legitimate interests as a legal basis. The EDPB warns, however, that “mitigating measures should not be confused with the measures that the controller is legally required to adopt anyway to ensure compliance with the GDPR”.
For example, in the development phase, mitigation measures suggested by the EDPB when web-scraping include: technical measures to exclude the collection of personal data from certain sources or websites which might include data that may harm vulnerable data subjects; and excluding collection from websites that clearly object to web scraping. Meanwhile, in the deployment phase, the EDPB suggests controllers deploy technical measures to prevent the storage, regurgitation or generation of personal data, such as output filters.
The EDPB flags that mitigating measures should be tailored to the circumstances of the case, and Supervisory Authorities will need to assess the appropriateness of the mitigating measures implemented by controllers on a case-by-case basis.
Question 3 – Impact of unlawfully processed personal data in the development phase
The EDPB confirms that the lawfulness of the processing in the development phase may impact the lawfulness of the subsequent deployment of the model. The EDPB recalls the discretionary powers of Supervisory Authorities to assess possible infringements and to choose appropriate corrective measures to impose against developers that unlawfully process personal data to train their AI models, or third party deployers, where necessary. Such corrective measures may include fines or orders for the deletion of unlawfully processed data, or, in severe cases, destruction of an entire AI model that was developed using such data.
Effectively, there appears to be two ways for a deployer to protect itself in respect of any subsequent processing:
- Demonstrate that the model is anonymous. If it can be demonstrated that the subsequent operation of the AI model does not involve the processing of personal data, such that the AI model is anonymous, then the GDPR will not apply, and the unlawfulness of any initial processing should not impact the subsequent deployment of the model.
- Alternatively, the deployer can take steps to satisfy itself that the model was not developed unlawfully. The EDPB flags that the controller deploying the model should conduct appropriate due diligence to ascertain that the AI model was developed lawfully, in line with their accountability obligations. This assessment should take into account, for instance, the source of the personal data, and whether the processing in the development phase was subject to a finding of an infringement by a Supervisory Authority or a court. The EDPB acknowledges that the degree of due diligence to be conducted by a controller may vary depending on the risks raised by the deployment of the model.
Commentary
The EDPB’s Opinion should assist businesses that are developing and / or deploying AI models with complying with their GDPR obligations. However, it is clear that there is no “one size fits all” approach to GDPR compliance for businesses developing and /or deploying AI technologies. In addition, as AI technologies advance, so will regulatory expectations. Accordingly, it is crucial for businesses to consider their GDPR obligations on a case-by-case basis, in particular compliance with the core data protection principles and related transparency, lawful basis and accountability obligations. Maintaining robust documentation, including LIAs (when relying on legitimate interests as a legal basis), DPIAs, and records of processing activities, will be key to ensuring GDPR compliance.
Contact Us
For more information, please contact Davinia Brennan, or any member of our Technology and Innovation Group or your usual Matheson contact.