The European Data Protection Board has issued a statement regarding AI systems like OpenAI’s ChatGPT. These AI tools are trained on large amounts of data, which has sparked discussions in the EU about potential data protection violations. The European Data Protection Board has now set guidelines to allow individual data protection assessments for AI systems.
The statement introduces a three-step system to determine if AI companies have a legitimate interest in using personal data. Many companies process personal data to offer their services, and the first step involves assessing if this claim is valid. The companies must clearly articulate their interest and ensure it doesn’t violate national or EU laws.
The second step examines whether processing personalized data is truly necessary for AI systems. AI companies should find ways to achieve their goals without infringing on individuals’ rights. The third step involves weighing the interests of the AI companies against the fundamental rights of individuals.
Even if AI companies demonstrate a legitimate interest in using data, it is crucial that the processed data is anonymized. According to the European Data Protection Board, it must be “highly unlikely” for individuals to be identified from the data used to create the model. Additionally, it should be ensured that these data cannot be extracted from the AI through prompts or other means.
Anu Talus, Chair of the European Data Protection Board, emphasizes that AI technologies can bring many opportunities and benefits to various industries and life areas. However, it’s important to ensure these innovations are achieved ethically and safely so that everyone benefits. The Board aims to support responsible AI innovation by ensuring data protection and compliance with the General Data Protection Regulation (GDPR).
If AI systems like ChatGPT do not adhere to these guidelines, they could face bans. However, a ban may not immediately follow a violation. Companies could be given time to implement necessary data protection measures and anonymize individual data within the AI model.
There are critical voices regarding this statement. Max Schrems, founder of the civil rights organization Noyb, commented, “Essentially, the European Data Protection Board says: If you comply with the law, everything is fine. As far as we know, none of the major players in the AI scene comply with the GDPR.”
How the statement and proposed systems by the European Data Protection Board will be implemented in the EU remains to be seen. The Board is currently working on further guidelines to address specific data protection issues in AI systems, such as web scraping, where content is collected extensively from the internet for AI training.