Walk on eggshells – using personal data in AI

17.06.2024 Walk on eggshells – using personal data in AI

Data is essential for AI, providing input for training, learning, and improving models. Where these datasets involve personal data – data that allows a specific individual to be identified – one must be extra careful with following the data protection rules arising from the GDPR. Otherwise, you might end up like Meta who immediately got in trouble after announcing that it had decided to start using personal data, including years of personal posts, private images, and online tracking data, for AI.

The following is not an all-embracing overview of the GDPR requirements but provides some key principles to think about.

Transparency. GDPR requires personal data processing to be transparent, so that the data subjects would easily understand how their personal data is being used. Transparent communication is key to gaining trust and avoiding possible data subject frustration.

Lawfulness. Without proper legal basis under Art 6 of the GDPR, personal data processing is illegal. One way to make the use of personal data for AI legal would be to rely on the data subject’s voluntary consent, which requires an informed and active decision from the person. Relying on consent provides the data subject control over their personal data and builds better trust. Where asking for consent is not a suitable solution, other Art 6 legal bases must be considered.

Confidentiality. Strict security measures must be put in place to protect personal data from unauthorized access and other possible data breaches. The more personal data you have, the more serious the consequences may be if the data falls into the wrong hands. The complexity of AI systems must be considered when assessing the sufficiency of applied security measures.

Data minimization. This principle requires that personal data be adequate, relevant, and limited to what is necessary in relation to the purposes for which personal data is processed. There is no exemption from this principle when it comes to AI. If the purpose can be achieved by processing fewer personal data, reduce the amount of personal data in the datasets.

 

Other relevant information

Click here to read about what to expect after publishing the AI Act.

Click here to learn more about AI checklist for business.

Click here to read more about the status of text and data mining exceptions in the Baltic states.