Large AI models are trained with masses of personal information without the consent of the individuals involved. This is a significant data protection issue. The European Data Protection Board (EDPB) has issued an opinion on AI models in light of the General Data Protection Regulation (GDPR). This marks the beginning of the actual review work by national supervisory authorities.
The EU data protection officers have outlined a framework and developed a three-stage test for legitimate AI solutions. This framework leaves civil society organizations and various associations wondering about the future of large language models trained with masses of personal information and the assistants and bots based on them in the European Economic Area. The outcomes of the data protection authorities’ decisions are uncertain due to many vague points in the paper. The EDPB does not rule out bans on AI models or applications that were created unlawfully. At the same time, it has proposed remedies for their application, which could be technical or organizational in nature.
Data protection activists are now increasing pressure on the supervisory authorities. “Essentially, the EDPB says: If you comply with the law, everything is fine,” the civil rights organization Noyb (none of your business), founded by Max Schrems, explained to Euractiv. “But as far as we know, none of the major players in the AI scene comply with the GDPR.” Privacy International made a submission to the EDPB last week, stating that models like GPT, Gemini, or Claude are trained with personal information “without sufficient legal basis” and are unable to uphold individuals’ rights.
The Italian data protection authority Garante has already temporarily blocked ChatGPT. It justified this, among other things, by stating that the mass storage and use of personal data for “training purposes” are non-transparent and not in line with the GDPR. The Garante is likely to revisit the case following the EDPB’s guidelines. Its French counterpart CNIL is already striving to “finalize the EDPB recommendations and ensure the coherence of their work with this first harmonized European position.” The focus is primarily on web scraping, the mass extraction of data from more or less open online sources. The EDPB itself wants to continue working on this point.
The data protection officers of Baden-Württemberg and Rhineland-Palatinate, Tobias Keber and Dieter Kugelmann, noted in an initial reaction to the EDPB decision: “The opinion does not make any statements about the admissibility of specific AI models that are already on the market.” Rather, the committee has “established guidelines for a data protection review of AI systems on a case-by-case basis and for their design.” In principle, this is an important “step towards legal certainty for both developers and users of AI systems as well as for individuals whose data is processed in this context.”
The Deputy Federal Data Protection Commissioner Andreas Hartl emphasized that the EDPB enables “responsible AI.” Additionally, politics is required: “We also want as clear legal regulations as possible on when training data may be processed.” The Federal Association of the Digital Economy (BVDW) was less enthusiastic: The EDPB has created “little clarity and orientation.” Interpretation and delineation of the line are complex and difficult. “Over 36 pages, essential questions remain unanswered, which creates more legal uncertainty for developers and users of AI.” Adequate and technically feasible measures are lacking.
Meta CEO Mark Zuckerberg is “sad that I essentially have to tell our teams at this point to introduce our new AI advancements everywhere except in the EU.” He was responding to a comment from Meta’s chief lobbyist Nick Clegg, who said the work of the EU overseers was “frustratingly” slow. Clegg appealed to the national examiners to apply the new principles “quickly, pragmatically, and transparently.” Otherwise, the desired AI boom in the EU will not happen.