Processing Personal Data in the Context of AI Models: EDPB’s Opinion 28/2024

Keywords: personal data – GDPR – AI models – anonymisation – legitimate interests – unlawful processing.

On the 17^th of December 2024, the European Data Protection Board (EDPB) adopted an Opinion on the processing of personal data in the development and deployment of Artificial Intelligence (AI) models.[1] The Opinion arises from a request for clarification on the application of the General Data Protection Regulation (GDPR) by the Irish Data Protection Commission (DPC),[2] and is the first position of the EDPB on AI addressed to all supervisory authorities (SAs).[3]

To begin with, the EDPB clarified the object and scope of its Opinion. First, it outlined that the Opinion does not provide a complete analysis of the GDPR provisions that SAs should consider when assessing an AI model.[4] Second, it distinguished “AI systems” from “AI models”, the latter being an essential component of an AI system (i.e. an algorithm), and then specified that the request specifically referred to AI models that develop through learning from data.[5] Moving to the merits of the request, the EDPB addressed in turn each of the four questions posed by the Irish DPC.

The first question concerned when and how an AI model can be considered anonymous. This is all the more relevant because the GDPR does not apply to the processing of anonymous information but to the processing of personal data.[6] In its Opinion, the EDPB refrained from adopting an all-or-nothing approach and concluded that a case-by-case assessment is needed to determine whether an AI model trained on personal data may be considered anonymous. In a nutshell, such assessment by the SAs should entail the likelihood that, by using reasonable means, personal data related to the training data can be extracted, and that personal data used to train a model may be obtained through queries.[7] For an AI model to be deemed anonymous, a controller will have to provide evidence that such likelihood is “insignificant”.[8]

The second and third questions instead focused on how controllers can demonstrate the appropriateness of “legitimate interest” as a legal basis for the development and the deployment phases of an AI model. Under art. 6 GDPR, “legitimate interest” is one of the possible legal bases of data processing when processing is not based on the consent of the data subject,[9] and appears especially relevant in the context of AI models in which there is no direct relationship between the data subjects and the controller. In principle, the EDPB clarified, a controller may rely on legitimate interests as a ground for processing personal data in the development or deployment of AI models. Relying on its previous guidelines and the case law of the CJEU,[10] the EDPB recalled the three-step test that SAs should use in order to assess the use of legitimate interest as a legal basis, which includes: (i) identifying a legitimate interest pursued by the controller or a third party; (ii) analysing the necessity of the processing for the purposes of the legitimate interest(s) pursued; and (iii) balancing the legitimate interest(s) with the fundamental rights and freedoms of data subjects.[11] With regard to the third step of the test in particular, the EDPB elaborated on the aspects that SAs should take into account in the context of AI models including data subjects interests and fundamental freedoms, the impact of the processing on data subjects, and the expectations of data subjects.[12] In addition, the EDPB put forward mitigating measures that data controllers may adopt to limit the impact of data processing on data subjects in the development and deployment phases of AI models, and when collecting information from online sources through web scraping techniques.[13]

Lastly, the Irish DPC sought clarity on the impact that the unlawful processing of personal data for the development of an AI model may have on its subsequent processing or operation. According to the GDPR,[14] SAs are competent to take corrective measures (e.g. fines, temporary limitations, etc.) to address infringements of the GDPR including for unlawful processing, namely the processing of personal data without a legal basis.[15] In addition, the EDPB recalled that when personal data is processed unlawfully, art. 17 GDPR provides that data subjects can request the erasure of their personal data or the competent SA may order their deletion ex officio,[16] which may be technically complex for AI models learning to perform their tasks on data.[17] To answer this question, the EDPB examined two scenarios in which an AI model trained on unlawfully processed personal data retains personal data and is deployed by (i) the same controller or (ii) a different controller; and a third scenario in which an AI model trained on unlawfully processed personal data is anonymised prior to further data processing in its deployment. As a first point, the EDPB held that unlawful data processing in the development phase may have consequences on the subsequent processing activities of an AI model which will be assessed by SAs on a case-by-case basis.[18] With regard to the scenario in which data processing in the deployment phase is taken over by another controller, SAs should consider whether the new controller complied with its accountability obligation to ascertain that the model was not developed unlawfully processing personal data according to art. 5(2) GDPR.[19] In the third scenario, the EDPB concluded that, provided an AI model has been anonymised, the unlawfulness of the initial processing should not impact the subsequent operation of the model as processing no longer entails personal data.[20]

The EDPB’s Opinion provides guidance on how to address some important and complex data protection issues in the context of AI. AI technologies challenge core GDPR principles, among others data minimisation, purpose limitation, and the underlying notion that data subjects should have control over their personal data.[21] In light of the rapid development and increasing use of AI, a common understanding of the relation between the GDPR and AI is a pressing concern and will be key to reconcile the protection of personal data and data subject rights with technological innovation in the EU.