Determining legal bases for generative AI under data protection law
Determining the most appropriate legal basis under the UK GDPR for using personal data to train generative AI models is a complex data protection issue.
While "legitimate interests" is frequently seen as a more practical basis than obtaining consent, it hinges on providing clear privacy information and demonstrating that:
- you have a valid interest
- it’s absolutely necessary
- the rights and freedoms of the individuals concerned are not infringed.
Increasingly, this is being challenged and complaints have been raised with data protection authorities across Europe on this issue, which highlights the tension between data protection law compliance and the development of generative AI.
However, (hopefully) clearer guidance from regulatory bodies appears to be on the horizon.
Last month, the Irish Data Protection Commissioner (DPC) announced its intention to seek an opinion from the European Data Protection Board (EDPB) on key issues related to data processing for AI development and training. The DPC has asked the EDPB to delve into the nuances of legal bases that data controllers rely on for such processing. This follows concerns raised by the DPC that the processing of personal data contained in the public posts of X’s EU/EEA users to train its AI ‘Grok’ gave rise to a risk to the fundamental rights and freedoms of individuals. The DPC had received a complaint from an individual who contended that the use of their personal data to train the AI model was not clearly communicated or justified.
It is likely that the EDPB will respond positively to the Irish DPC's request given the commitments made in the EDPB Strategy 2024-2027 to continue to address the challenges posed by AI. However, the resulting opinion will undoubtedly be scrutinised by legal and AI experts alike as its ramifications could have a significant effect on the evolution and application of AI technologies, particularly if it does not afford grace to the innate challenges of this technology. Whilst the opinion will comprise of the views of EU data protection authorities (EU DPAs), it will likely carry influence in the UK and other jurisdictions. It will also be highly influential and indicative of how EU DPAs will apply the law in this area and where they may enforce it.
On the other side of the Irish Sea, the UK Information Commissioner’s Office’s (ICO) consultation series on generative AI has now closed. It will be interesting to compare the approaches of the ICO and the EDPB, especially if there is any divergence on when, where and how it is appropriate to rely on the legitimate interests lawful basis.
In the meantime, those operating in this space should ensure that they complete data protection impact assessments which document and justify the rationale for a particular legal basis. They should also make sure that privacy information is clear and prominent and that people can easily opt-out.
The DPC is pleased to announce the conclusion of the proceedings it brought before the Irish High Court on 8 August 2024. The matter was back before the Court this morning and the proceedings have been struck-out on the basis of X’s agreement to continue to adhere to the terms of the undertaking on a permanent basis.
