Processing of Personal Data in the Context of Artificial Intelligence Models
Introduction
The European Data Protection Board (“EDPB”) issued Opinion 28/2024[1] addressing key data protection concerns related to the processing of personal data in the context of artificial intelligence (“AI”) models. This Opinion was prepared in response to the Irish Supervisory Authority’s request under Article 64(2) GDPR[2] , reflecting the widespread deployment[3] of AI technologies and the complex challenges they pose to data protection laws.
Background
The EDPB’s Opinion was driven by a growing demand for a harmonized approach to applying GDPR provisions to AI models across the European Economic Area. Organizations increasingly rely on AI for diverse purposes, such as improving customer services and detecting fraudulent activities. However, integrating personal data into AI model development and deployment raises critical legal and ethical concerns.
Key questions addressed in the Opinion are:
- The conditions under which an AI model can be considered anonymous.
- The appropriateness of legitimate interest as a legal basis for data processing in AI development phases.
- The appropriateness of legitimate interest as a legal basis for data processing in AI deployment phases.
- The implications of using unlawfully processed personal data during the development of an AI model on subsequent operations of the AI model.
The Opinion aims to guide supervisory authorities on consistent GDPR enforcement and address systemic and novel issues arising from AI technologies.
Scope of the Opinion
The Opinion focuses on:
- Anonymization of AI Models: Determining when AI models trained on personal data can be considered anonymous.
- Legitimate Interest: Assessing how controllers can rely on legitimate interest as a legal basis during AI model development and deployment.
- Impact of Unlawful Processing: Evaluating the consequences of using unlawfully processed personal data in the development phase on subsequent operations of AI models.
The EDPB emphasizes that its guidance does not provide an exhaustive solution but offers a framework for supervisory authorities to assess AI-related data protection concerns on a case-by-case basis.
Main Findings of the Opinion
Anonymization of AI Models:
The EDPB underlines in the Opinion that AI models trained on personal data cannot universally be deemed anonymous. The determination depends on whether personal data can be directly or indirectly inferred from the model.
Supervisory authorities must evaluate the AI model's anonymity on a case-by-case analysis. The Opinion provides a non-exhaustive list of methods that may be used by the controllers claiming anonymity such as model design showing prevention or limit in the personal data collection and use for training the model, reduction of data identifiability, prevention of extraction, and resistance to attacks (e.g., membership inference and model inversion).
Anonymity requires that direct extraction of personal data and unintentional disclosure via queries be insignificant under reasonable circumstances.
Legitimate Interest as a Legal Basis:
The Opinion underlines that legitimate interest as per Article 6(1)(f) GDPR cannot be the default legal basis for personal data processing for AI model training.[4] It adds that there is no prioritization among different legal basis for processing the GDPR provides. Controllers must justify appropriate legal basis by demonstrating compliance with the three-step test[5] :
- Identifying the legitimate interest pursued by the controller or a third party. For this purpose, interest shall be cumulatively (i) lawful, (ii) with clear and particular articulation, (iii) real and present.
- Assessing the necessity of processing for the stated interest, via passing the "necessity test".
- Ensuring that the legitimate interest is not overridden by data subjects’ fundamental rights and freedoms, via passing the "balancing test". Due to the complexity of AI models, the reasonable expectations of the data subjects for processing activities play a role in the balancing test.
The Opinion includes a non-exhaustive list of mitigating measures in the AI development and deployment phase that could limit the impact of data processing ensuring transparency and data minimization principles. For example, excluding data content from publications including data about vulnerable individuals, and collecting data from websites that object to web scraping may be forms of mitigation measures[6] .
Unlawful Processing of Personal Data:
The Opinion identifies three scenarios involving unlawful processing during AI model development:
- Scenario 1: If personal data is retained in the model and used by the same controller during deployment, lawfulness's impact depends on subsequent processing's purpose.
- Scenario 2: If personal data is retained in the model and used by another controller via the deployment of the model, the recipient must verify the legality of the data used in development as part of its accountability obligations to ensure lawful processing and compliance with Article 5(1)(a) and 6 GDPR. In this manner, the EDPB suggests the controllers to pay attention to the source of the data, and any apparent factor showing that the initial processing was found unlawful by a supervisory authority or court decision determining the infringement of the GDPR by the AI model.
- Scenario 3: If personal data is unlawfully processed to develop an AI model and anonymized before deployment by the same or another controller, subsequent operations may not fall under GDPR unless personal data is reintroduced. However, if further personal data is collected in the post-anonymization deployment phase, GDPR would apply. Therefore, the lawfulness of processing at the deployment phase may be impacted by unlawful initial processing, unless the model has been anonymized.
Conclusion
Opinion 28/2024 underscores the EDPB’s commitment to addressing the challenges posed by diverse AI technologies while safeguarding data subjects’ rights. By emphasizing a case-by-case approach, the Opinion provides supervisory authorities and data protection officers with tools to assess compliance and promote ethical, safe, and responsible innovation.
- EDPB, Opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models, 17.12.2024, Access Date: 06.01.2025, For Access: https://www.edpb.europa.eu/system/files/2024-12/edpb_opinion_202428_ai-models_en.pdf
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119, 4.5.2016, s. 1–88.
- EU AI Act Article 3 defines deployer as follows: "a natural or legal person, public authority, agency or other body using an AI system under its authority except where the AI system is used in the course of a personal non-professional activity”. Deployment involves the process by which an AI system is put into use by a deployer within their area of authority. This encompasses the integration and application of the AI system in real-world settings to achieve its intended objectives.
- CMS Law-Now, 20.12.2024, Access Date: 06.01.2025, For Access: https://cms-lawnow.com/en/ealerts/2024/12/edpb-opinion-28-2024-key-takeaways-on-processing-personal-data-in-the-context-of-ai-models?format=pdf&v=13
- For further information on three-step test please see: EDPB Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR, 08.10.2024, Access Date: 06.01.2025, For Access: https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf.
- Rosie Nance, Marcus Evans, Francesco Gelmetti, The EDPB Opinion on training AI models using personal data and recent Garante fine – lawful deployment of LLMs, Access Date: 06.01.2025, For Access: https://www.dataprotectionreport.com/2025/01/the-edpb-opinion-on-training-ai-models-using-personal-data-and-recent-garante-fine-lawful-deployment-of-llms/#page=1
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.
Other Contents
As technology advances, artificial intelligence (“AI”) is steadily making its way into dispute resolution, promising enhanced efficiency. Practitioners are carefully weighing its capabilities against its limitations...
The Framework Convention on Artificial Intelligence (Convention) is an international treaty proposed by the Council of Europe that was recently opened for signature . This is the first legally binding international framework regulating the entire lifecycle of Artificial Intelligence (AI) systems. The Convention ensures...
The "Brussels Effect" refers to the phenomenon where European Union (“EU”) regulations influence or set standards globally. Since the EU is a significant market, global companies often find it practical and economically beneficial to adopt EU standards across all their operations rather than comply with multiple...
With its decision dated 11.10.2023 and numbered 2020/76 E., 2023/172 K. published in the Official Gazette dated 10 January 2024 and numbered 32425 ("Decision"), the Constitutional Court ("Constitutional Court") evaluated the requests for the annulment of certain articles of the Law No. 7253 on the...
The Information Technologies and Communications Board adopted the Procedures and Principles for Social Network Providers (“Procedures and Principles”) with its decision dated 28.03.2023 and numbered 2023/DK-ID/119. The said decision was published in the Official Gazette dated 01.04.2023, and entered into...
The first “Artificial Intelligence Act” of all time, which includes rules and regulations that directly affect tools such as ChatGPT, Bard and Midjourney adopted by the European Parliament with a majority of votes. Thus, the European Parliament has officially taken the steps of a regulation that could be a turning point for...
ChatGPT, a large language model (LLM) developed by OpenAI, is an artificial intelligence (AI) system based on deep learning techniques and neural networks for natural language processing. ChatGPT can process and generate human-like text, chat, analyse and answer follow-up questions, and acknowledge errors...