The European Data Protection Board (EDPB) published an opinion (28/2024) on December 18, 2024, which provides guidance on how personal data should be handled when developing and using AI models. The Opinion, which is a response to a request from the Irish Data Protection Authority, addresses several key issues related to AI and the GDPR.
When can an AI model be considered anonymous?
One of the key issues raised in the opinion concerns the anonymity of AI models. The EDPB emphasizes that a model trained on personal data cannot automatically be considered anonymous – the assessment must be made on a case-by-case basis. For an AI model to be considered anonymous, it must be highly unlikely that anyone could identify, directly or indirectly, the individuals whose data was used to develop the model. Furthermore, the risk of someone being able to extract personal data from the AI model must be negligible, even taking into account all reasonable means that could be used. The opinion proposes criteria for demonstrating that the data is anonymized.
Organizations wishing to claim anonymity for their AI model must therefore be able to demonstrate that their model meets these requirements through thorough testing and clear documentation. The EDPB stresses, among other things, the importance of analyzing the design of the model and conducting extensive testing to ensure that personal data cannot be identified, either directly or indirectly.
Balancing of interests as a legal basis
Another key question in the opinion is what legal basis in the GDPR can be used to process personal data in the context of developing and using AI models. According to the EDPB, the legitimate interest basis can be used in some cases by organizations wishing to process personal data during the development and/or deployment phase. This requires that the interest is legitimate, that the processing is necessary, and that the data subject’s interest in the protection of his/her personal data does not outweigh the controller’s interest.
In this regard, the EDPB attaches great importance to the reasonable expectations of data subjects in relation to the processing of their personal data and to increased transparency. In the Opinion, the EDPB presents criteria for assessing the reasonable expectations of individuals.
Consequences of unlawful processing
The EDPB Opinion also addresses the consequences of processing personal data in breach of the GDPR during the development phase. Unlawful processing of personal data during the development of an AI model can have significant consequences for its further use. The EDPB emphasizes that even the subsequent processing can be considered unlawful if the initial processing is not in accordance with the GDPR.
How is your business affected?
The Opinion is part of the EDPB’s continuing efforts to ensure that the development and use of AI models is in line with the principles of the GDPR. AI supply chain actors who may be data controllers during the development and/or deployment phase of an AI model should carefully consider these guidelines in their work and consider implementing them in their AI policies. For more information about the EDPB Opinion or the processing of personal data and AI, please contact me or one of the team.
-
Advokat, Senior Associate
+46 73 094 21 66
