The European Data Protection Board (EDPB) has issued Opinion 28/2024, addressing critical aspects of personal data processing in the development and deployment of Artificial Intelligence (AI) models. Adopted on December 17, 2024, the opinion responds to the Irish Data Protection Commission’s request for guidance under Article 64(2) of the GDPR, reflecting the growing importance of data protection in the context of AI technologies.
Key Highlights
- Anonymity in AI Models
The EDPB stresses that AI models trained with personal data cannot automatically be considered anonymous. It outlines criteria for assessing anonymity, emphasizing the need for transparency and accountability in training processes. Specific methods to minimize personal data extraction risks are recommended, including robust anonymization techniques.
- Legitimate Interest as a Legal Basis
The opinion provides guidance on demonstrating legitimate interest during the development and deployment of AI models. It underscores a three-step test to balance the controller’s interests with the rights and freedoms of data subjects.
- Unlawful Data Processing and Consequences
The EDPB examines scenarios where unlawful processing of personal data during the development phase may impact the model’s subsequent use. The assessment hinges on whether data subjects’ rights were infringed and whether corrective measures were implemented. - Mitigation Measures
Controllers are advised to adopt measures tailored to specific risks associated with AI models. This includes incorporating privacy-preserving techniques and conducting thorough testing to ensure compliance with GDPR principles.
Implications for Businesses
Organizations leveraging AI technologies must ensure rigorous compliance with GDPR provisions. Proper documentation, risk assessments, and adherence to principles such as data minimization and fairness are crucial for mitigating potential legal and reputational risks.
