Data Protection: A Stumbling Block for Artificial Intelligence?
The recent headlines about the temporary ban imposed by the Italian Data Protection Authority on ChatGPT, an artificial intelligence (AI) chatbot developed by OpenAI, have additionally fuelled discussion regarding data protection in connection with the use of AI. According to the Italian Data Protection Authority, the main reason for the ban is the failure to provide information to users whose personal data are processed by OpenAI. The Italian Data Protection Authority also alleged that there was no legitimate legal basis for the mass processing of personal data for the purpose of training algorithms. These allegations against ChatGPT have triggered general data protection considerations concerning AI.
A universal definition of the term AI has not yet become established. This is related, among other things, to the fact that up to now the concept of artificial intelligence itself has not been unambiguously described. According to the latest version of the Proposal for a Regulation for an Artificial Intelligence Act (AI Act), the term AI system is defined as a software that can generate outputs for a given set of human-defined objectives. In any case, AI requires large quantities of data and can be developed with various techniques and approaches. One of these approaches is machine learning.
Processing of Personal Data by AI
In machine learning ‒ to put it in simplified terms ‒ large amounts of data are processed and analyzed in order to train the AI algorithm. To the extent that personal data is processed, the General Data Protection Regulation (GDPR) comes into play and compliance with the numerous regulations it contains is required.
However, AI can use personal data not only for the training of the algorithm but also for its results. In this case, the intervention in data protection is even more serious, compliance with the GDPR is generally more difficult to achieve, and privacy rights also have to be taken into consideration. For example, in the use of ChatGPT it can be assumed that personal data will be stored permanently (at least) by certain persons. Moreover, on the basis of its data sets, ChatGPT provides information about specific persons.
AI and the GDPR
The processing of personal data in connection with the use of AI requires compliance with the principles of data protection pursuant to the GDPR. For instance, in accordance with the principle of data minimization, personal data may only be used for AI applications if it is actually needed for the respective predefined purpose. In addition, the processing may only be carried out for as long as is necessary for that purpose. Moreover, the personal data must be accurate and up to date. In connection with this last point, reports have already appeared in the media alleging that ChatGPT has disseminated untrue information about data subjects.
In particular, the principle of purpose limitation can, under certain circumstances, become a challenge if personal data initially collected for a specific purpose is later processed by the AI for different purposes. This can be the case in machine learning when data from totally different applications and sources are merged and processed for AI training. It would then have to be verified whether the initial purpose and the new purpose of the data processing are compatible with one another.
The processing, analysis, storage or collection of personal data in connection with the use of AI also requires a legitimate legal basis within the meaning of the GDPR. Depending on the technical characteristics and type of processing done by AI, the processing of personal data can, for example, be based on the consent of the data subjects or on the existence of a legitimate interest.
Furthermore, pursuant to the GDPR, each controller has the obligation to provide certain information to persons from whom data are obtained. The failure to provide information to users whose personal data are processed by OpenAI is also one of the major criticisms of the Italian Data Protection Authority.
Probably of particular interest for AI systems are Art. 13para. 2 lit. f GDPR, with respect to direct collection, and Art. 14 para. 2 lit. g GDPR,with respect to third-party collection. In both cases, data subjects must be informed whether automated decision-making, including profiling, will be taking place. If so, data subjects must receive meaningful information about the logic involved, as well as about the significance and the envisaged consequences of such processing for them. In practice, providing an understandable explanation of how the algorithms behind the AI function can be a challenging undertaking for controllers.
As long as personal data are processed in an AI system, the controllers are obligated to institute suitable technical and organizational measures to ensure an adequate level of data protection. Notwithstanding this, a Data Protection Impact Assessment must be carried out in the event of data processing that is likely to result in a high risk.
Classification
Artificial intelligence can, in principle, bring progress to many processes and functions and contribute to the development of society, even though for many fields it is undoubtedly a disruptive technology. However, its application requires a corresponding degree of acceptance and trust in the technology. This also requires compliance with legal provisions, for example those of data protection. The example of ChatGPT illustrates this point. Artificial intelligence is still a young technology that has neither realized its full potential nor gone through the necessary process of adjustment to the existing legal expectations and requirements of society. Simple prohibitions will not create any added value for a technology of the future. Rather, it is now imperative that (legal) expectations and requirements be clearly defined. The EU Commission has begun doing so in formulating its two proposals for relevant legislation, the AI Act and the AI Liability Directive. What remains totally incomprehensible is why there is as yet no appropriate obligation of transparency that would enable people to easily recognize the use of such systems in everyday life, something that at the moment often only absolute experts can do; this ought to have been the first step. The transparency obligations in Art. 52 of the Proposal for an AI Act does not go far enough in this respect.
Please note: This blog merely provides general information and does not constitute legal advice of any kind from Binder Grösswang Rechtsanwälte GmbH. The blog cannot replace individual legal consultation. Binder Grösswang Rechtsanwälte GmbH assumes no liability whatsoever for the content and correctness of the blog.