Data security in AI models is a topic covered in the European Data Protection Board’s mind. It covers technology firms operating in the union, assessing AI privacy, the legal base for processing information, and prevention measures for impacts on data subjects.
It was published in response to a demand from Ireland’s Data Protection Commission, the prospect regulatory authority under the GDPR for some businesses.
What were the key factors of the advice?
The DPC looked for more details regarding:
- When and how does an AI model get categorized as “anonymous” — those that are incredibly unlikely to identify individuals whose data was used to create it, and are therefore free from privacy laws.
- When businesses can say they have a “legitimate attention” in processing individuals ‘ data for AI types and, therefore, don’t need to get their consent.
- The effects of an AI model’s development phase’s unconstitutional processing of personal information.
In a media release, EDPB Chair Anu Talus stated that” AI systems may offer several options and advantages to various sectors and areas of life. We need to confirm these improvements are done responsibly, carefully, and in a way that benefits all.
The EDPB wants to promote responsible AI technology by ensuring that personal information are safeguarded and in full compliance with the General Data Protection Regulation.
When is an AI model be viewed as “anonymous”?
If the likelihood of using personal information for education to be traced again to any person, either directly or indirectly, as through a quick, is deemed “insignificant.” An AI design can be considered private. A thorough examination of the likelihood of recognition is required, and “anonymity is assessed by regulatory authorities on a” case-by-case “basis.”
However, the viewpoint does offer a list of ways that design developers may exhibit anonymity, including:
- avoiding or restricting the collection of personal information while deciding which resources to use, such as excluding unimportant or inappropriate resources.
- Implementing robust technical measures to prevent re-identification.
- Ensuring info is properly anonymised.
- Using data-minimization methods to prevent the collection of bulky specific data
- constantly evaluating the dangers of re-identification through reviews and tests.
These demands, according to Pinsent Masons ‘ Kathryn Wynn, would make it difficult for Artificial firms to assert privacy.
According to her in a company article,” The potential damage to the protection of the person whose information is being used to train the AI design could be relatively minimal and could be further decreased depending on the circumstances.”
” But, the way in which the EDPB is interpreting the law may need organisations to meet costly, and in some cases impossible, compliance obligations around purpose limitation and transparency, in certain.”
When AI businesses you approach private information without the user’s consent.
In accordance with the EDPB opinion, AI companies can process private data without giving consent if they can demonstrate that their goals, such as improving products or services, outweigh the rights and freedoms of the individual.
This is especially crucial for tech companies because it is neither minor nor financially feasible to ask for permission to store the vast amounts of data used to teach models. But to count, companies will need to complete these three testing:
- Status test: A valid, legitimate reason for processing private information must be identified.
- Necessity test: The data handling may be required for function. There can be no other option, less aggressive ways of achieving the company’s aim, and the amount of information processed must be equal.
- Balance test: The impact on a person’s rights and freedoms must exceed the genuine interest in the processing of data. This considers whether a person could realistically expect their information to be processed in this manner, such as if they made it publicly accessible or had a relationship with the business.
If a business uses mitigating measures to lessen the impact of processing, it may still not be required to obtain the information subjects ‘ consent even if the balancing test is unsuccessful. Such methods include:
- Technical protection: Applying protection that reduce security challenges, such as encryption.
- Pseudonymisation: Installing or removing distinguishable information to prevent files from being linked to an individual.
- Data masking: Substituting genuine personal data with bogus data when genuine content is not important.
- Methods for data subjects to practice their right: Making it easy for individuals to exercise their data rights, such as opting out, requesting destruction, or making claims for data adjustment.
- Transparency: Publicly disclosing data processing practices through media campaigns and transparency labels.
- Web scraping-specific measures: Implementing restrictions to prevent unauthorised personal data scraping, such as offering an opt-out list to data subjects or excluding sensitive data.
Technology lawyer Malcolm Dowden of Pinsent Masons said in the company article that the definition of” legitimate interest “has been contentious recently, particularly in the , U. K.’s Data ( Use and Access ) Bill.
According to advocates of AI, “data processing in the AI context encourages innovation and provides social benefits that are “legitimate interests” for purposes of data protection law,” he said.  ”, Opponents believe that view does not account for AI-related risks, such as to privacy, to discrimination or from the potential dissemination of’ deepfakes ‘ or disinformation.”
Advocates for Privacy International have expressed concerns that AI models like OpenAI’s GPT series might not pass the three tests because they lack specific justifications for processing personal data.
Consequences of using personal information to develop artificial intelligence without permission
This will have an impact on how the model will be permitted to operate if a model is developed by processing data in a way that is incompatible with GDPR. The relevant authority evaluates” the circumstances of each individual case” but provides examples of possible considerations:
- The legality of both the development and deployment phases must be evaluated based on case specifics if the same company retains and processes personal data.
- The EDPB will take into account whether another company that processes personal data prior to deployment did a proper assessment of the model’s legality.
- Following unlawful processing, non-personal data processing is not subject to GDPR if the data is anonymized after that is unlawful. However, any subsequent personal data processing would still be subject to the regulation.
Why AI companies ought to pay attention to the advice provided?
The EDPB’s guidance is crucial for tech firms. Although it lacks legal authority, it has an impact on how privacy laws are enforced in the EU.
Indeed, companies can be fined up to €20 million or 4 % of their annual turnover— whichever is larger —  , for GDPR infringements. They might even be required to alter or completely delete their AI models.
SEE: EU’s AI Act: Europe’s New Rules for Artificial Intelligence
Due to the large volumes of personal data required to train models, which are frequently sourced from public databases, AI companies struggle to comply with GDPR. This creates challenges in ensuring lawful data processing and addressing data subject access requests, corrections, or erasures.
These difficulties have led to numerous legal battles and fines. For instance:
Additionally, in September, the Dutch Data Protection Authority fined Clearview AI €30.5 million for unlawfully collecting facial images from the internet without user consent, violating GDPR. The Irish DPC requested the opinion in the same month just after it successfully persuaded Elon Musk’s X to stop using public posts from European users to train its AI chatbot, Grok, without obtaining their consent.
