The opinion, which was requested by the Irish Data Protection Authority, looks at three issues related to privacy and AI:
Following is a short summary of the key points made by the EDPB regarding each of these issues:
Anonymity
The EDPB opinion provides guidelines on when AI models trained on personal data will be considered anonymous - a matter which should be assessed, based on specific criteria, on a case-by-case basis.
First, the EDPB states that models designed to provide personal data (as output) regarding individuals whose personal data was used to train the model (as input), such as generative models fine-tuned on the voice recordings of an individual to mimic their voice, or any model designed to reply with personal data from the training when prompted for information regarding a specific person, will not be considered anonymous.
However, even if that is not the case, the AI model is not necessarily rendered anonymous, since personal data may still remain "absorbed" in the parameters of the model and may be obtained from it. The EDPB considers that, for an AI model to be considered anonymous, both (i) the likelihood of direct or indirect extraction of personal data regarding individuals whose personal data was used to train the model and (ii) the likelihood of obtaining, intentionally or not, such personal data from queries, by using "means reasonably likely to be used" by the controller or a third party, should be insignificant.
Relying on Legitimate Interest
The EDPB offers guidance for when "legitimate interest" can be used as a legal basis for the development of AI models. To rely on legitimate interest, the AI model developer must conduct a three-step assessment (as further elaborated in a more general context in the EDPB's guidelines on this legal basis) and establish that the following cumulative conditions are met:
Mitigating Measures
When the data subjects' interests, rights, and freedoms seem to override the legitimate interest being pursued by the controller or a third party, the developer may consider introducing mitigating measures to limit the impact of the processing on these data subjects. The opinion provides a non-exhaustive list of examples for such mitigating measures, including:
The Effect of Unlawful Processing in the Development of an AI Model
The EDPB provides that unless the AI model has been duly anonymized (in accordance with the guidelines mentioned above), each controller, whether the developer of the AI model or another controller deploying an AI model after its development, may be responsible for unlawful processing of personal data in the development of the model.
The liability of the deployer (who was not responsible for the processing in the development phase) will depend, to a large extent, on whether or not they have conducted an appropriate assessment to ascertain that the AI model was not developed by unlawfully processing personal data.