EU data protection regulators have announced their final Opinion on some key issues related to the processing of personal data in AI models. Below is a summary for information purposes only. If you need legal advice, please get in touch.
When is an AI model considered as anonymous?
This can only be decided case-by-case, and there's a non-prescriptive, non-exhaustive list of methods to demonstrate anonymity. In broad terms:
For a model to be anonymous, it should be very unlikely (1) to directly or indirectly identify individuals whose data was used to create the model, and (2) to extract such personal data from the model through queries.
When/how is 'legitimate interest' an appropriate legal basis for processing personal data to create, update, develop or deploy an AI model?
Considerations here include a 'three-step test' that assesses:
- Pursuit of a legitimate interest by the controller or by a third party;
- The necessity of the processing to pursue the legitimate interest;
- Balance.
In short, the regulator will consider whether the controller's interest is lawful, clear and precisely articulated, real and present; the processing is shown to be strictly necessary; and is balanced in terms of respecting the individual's rights.
What are the consequences for an AI model developed by unlawful processing of personal data?
Like the FTC in the US (which has ordered some infringing models to be destroyed), an AI model that has been developed with unlawfully processed personal data could also be considered to be unlawfully deployed (unless perhaps the model is anonymised) and regulators have wide investigative and assessment powers, and can take appropriate, necessary and proportionate action depending on the facts of the case.
This post is a summary for information purposes only. If you need legal advice, please get in touch.
