EDPB publishes opinion on personal data processing relating to AI model development

On December 17 2024, the European Data Protection Board (EDPB) issued Opinion 28/2024 addressing data protection aspects of processing in the context of AI models. This Opinion was requested by the Irish Data Protection Commission and focuses on the development and deployment phases of AI models.

The EDPB provided its opinion on a variety of topics. It specifically excluded special category data, automated decision making, profiling, compatibility of purposes, DPIAs and the principle of data protection by design from the scope of the Opinion, but in doing so highlights those as key areas for model developers and deployers to consider.

Anonymous AI models

The EDPB notes that AI models trained with personal data cannot always be considered anonymous. An AI model is considered anonymous if the likelihood of extracting personal data directly or probabilistically and the likelihood of obtaining such personal data from queries are both insignificant. This creates a high bar for developers to overcome. Competent supervisory authorities should assess claims of anonymity on a case-by-case basis, considering all means reasonably likely to be used to identify individuals. The EDPB provides suggestions of methods for controllers to demonstrate anonymity. Under the accountability provisions of Article 5 of the GDPR, the EDPB also made clear that competent supervisory authorities will expect controllers to evidence their approach if they conclude that AI models are anonymous.

Legitimate interest as legal basis in development and deployment phases of AI models

The EDPB recognises that legitimate interest can be a valid lawful basis for processing conducted in the context of the development and the deployment of AI models. It states that controllers must demonstrate the appropriateness of legitimate interest as a legal basis for processing personal data during the development and deployment of AI models by carrying out the usual three-step test. The EDPB set out examples of mitigating measures that controllers can introduce to limit the impact of processing.

Consequences of the unlawful processing of personal data

The impact of unlawful processing of personal data during the development phase on subsequent processing or operation of the AI model depends on the specific circumstances.

The EDPB considered three scenarios.

• Personal data is unlawfully processed in model development, then retained in the AI model and processed by the same controller in model deployment: Data protection supervisory authorities should assess on a case-by-case basis whether the development and deployment phases involve separate purposes (and therefore are separate processing activities). If there is a lack of legal basis for the initial unlawful processing, this may impact the lawfulness of subsequent processing.
• Personal data is unlawfully processed in model development, then retained in the AI model and processed by another controller in model deployment: The GDPR requires each controller to be able to demonstrate the lawfulness of its processing, so data protection authorities should consider whether appropriate assessments were conducted at each phase to confirm lawfulness of processing and no findings of infringements.
• AI model is anonymised after unlawful processing in model development, and subsequent processing (by any controller) is conducted in model deployment: The lawfulness of processing carried out in deployment should not be impacted by the unlawfulness of the initial processing if it can be shown that the subsequent processing does not include any personal data processing due to the anonymisation of the data.

The EDPB confirmed that supervisory authorities have discretionary powers to assess infringements and impose appropriate measures, such as fines, temporary limitations, or erasure of unlawfully processed data.

The opinion is available here.