AI Innovation in Europe Requires a Balanced and Risk-Based Interpretation of the GDPR

TechWonk Blog

TechWonk Blog - AI Innovation in Europe Requires a Balanced and Risk-Based Interpretation of the GDPR

November 8, 2024 by View all posts by Marco Leto Barone

On 5 November, 91pro视频 participated in the European Data Protection Board’s (EDPB) stakeholder workshop on AI Models. The workshop was meant to inform the EDPB’s opinion on the use of personal data for AI models, which is expected before the end of the year. Ahead of the workshop, 91pro视频 joined 14 other industry associations in a joint statement, calling on the EDPB to take a balanced, risk-based, and pro-innovation approach to data processing for AI development and deployment.

Companies must be able to access and use personal data for developing and deploying innovative and transformative AI technologies in Europe. Such access is crucial for the EU’s digital transformation and competitiveness goals. The opinion must recognize that this can be done in a way that is proportionate, risk-based, and aligned with the GDPR.

To do so, 91pro视频 shared the following recommendations:

Legitimate interest is an appropriate legal basis for AI model training

The EDPB should recognize that legitimate interest is an appropriate and robust legal basis for processing personal data for the training of AI models, as also previously recognized by other European regulators like the French Data Protection Authority.

AI models have the potential to significantly benefit society, businesses, and individuals. AI can increase productivity, boost economic growth, support scientific discovery and healthcare, and enable transformative use cases. These considerations can help tip the legitimate interest balance in favor of the controller.

Of course, this will be possible if the circumstances of the processing are assessed, and the appropriate safeguards are deployed when necessary. Importantly, the opinion should note that the commercial goal of developing an AI model should not prevent legitimate interest. As considered by the Court of Justice of the EU, a wide range of interests may be considered legitimate, including those of commercial nature.

Finally, the opinion should not consider consent as a preferred legal basis. Given the scale of data needed for most AI models, obtaining consent would be impractical, disproportionate, and lead to reduced representativity of datasets.

AI models are not searchable databases of personal data

AI models are a mathematical representation of statistical patterns. They are not designed to memorize information about specific individuals, and once trained, they are not a searchable database of personal data.

The EDPB opinion should reflect this technical reality. When an AI model is trained, the training data is broken down into numerical ‘tokens.’ For example, in the case of an LLM, tokens would represent words, their meaning and relations (e.g., the word dog is associated with ‘animal’ but not with ‘plant’). The model performs mathematical operations to correlate these tokens, and it learns correlations in the form of numerical weights. When prompted, the model will then provide an output that predicts the most likely answer to a user’s prompt, based on the patterns and correlations it has learned. For example, in the case of an LLM, tokens would represent words, their meaning and relations (e.g., the word dog is associated with ‘animal’ but not with ‘plant’).

As such, the model itself does not process personal data as per the meaning of article 4 of the GDPR, as also recognized by the on Large Language Models (LLMs) from the Hamburg Commissioner for Data protection. If personal data is processed while the model is being trained or deployed, this shall be done in compliance with GDPR.

Access to a wide variety of data is needed for robust AI

The opinion should recognize that processing a wide range of data – including data about sensitive topics – is fundamental to achieve robust and representative AI models that reflect the cultural, geographic and linguistic diversity of Europe.

Crucially, the ability to legally process data about sensitive topics – that is information related to sensitive attributes (such as gender or religion), but outside the scope of article 9 of the GDPR - will be important for companies to identify and mitigate potential biases – which is required by the EU AI Act.

Rather than focusing on limiting the use of data, which will have negative consequences on businesses and individuals, the opinion should focus on the identification and implementation of safeguards to ensure the safe and lawful processing of personal data.

Recognize diversity of AI models and complexity of value chains

The exact safeguards applied to a specific AI project will depend on the nature of the model and the nature of the data being processed. Actors across the AI value chain – such as deployers and developers - will also have different roles and risk management responsibilities. This is why the opinion should not be prescriptive and should maintain a flexible approach.

Companies can implement different safeguards across different stages of the value chain to ensure the lawful processing of data. For example, data governance measures, de-duplication, minimization or pseudonymization can be helpful to address specific data protection risks at the training stage. On the other hand, measures like prompt and output filters can help address generative AI risks at the deployment stage.

Industry is continuously working to improve appropriate safeguards, and we hope to continue our collaboration with regulators to further explain the state of the art. A rigid and prescriptive approach may undermine the efforts to develop and deploy new safeguards.

Data subject rights can be subject to limitations

Data subject rights are of fundamental importance for the protection of data subjects. However, the opinion should acknowledge that data subject rights can be subject to limitations, both from a technical and legal perspective.

For example, it would be technically impossible to implement a right of rectification or erasure on the data after the model has been trained, without re-training the model. This would be disproportionate, costly, and resource intensive. Similarly, it would be technically impossible to locate and remove data about a specific individual after the data has been transformed and becomes part of a training dataset.

Alternative measures for the protection of data subjects should be considered in these cases. Output-level filters, for example, can be an effective and proportionate solution to remove content that data subjects.

Tags: Artificial Intelligence

A Pro-Innovation Code of Practice For Europe鈥檚 AI Continent Ambitions
April 24, 2025

The final draft of the EU Code of Practice for General Purpose AI (GPAI) models is expected to be unveiled in the coming weeks. Companies developing GPAI models like Large Language Models will be able [...]
President Trump Should Lay Out Tech and Economic Growth Actions in Address to Congress
March 3, 2025

President Trump has been a champion of policies that drive and expand America's tech economy. Since resuming office, he鈥檚 made clear that bolstering American prosperity and competitiveness is his priority. [...]
Meaningfully Advancing Global AI Governance: What We Hope to See at the France AI Action Summit
February 4, 2025

In November, 91pro视频 was on the ground on the margins of the inaugural Convening of the International Network of AI Safety Institutes, and provided perspectives on the activities that we thought would be most [...]
UK AI Opportunities Action Plan: A Bold Blueprint for Innovation and Growth
January 15, 2025

On January 13, the UK government launched its long-awaited 鈥淎I Opportunities Action Plan,鈥� a comprehensive and ambitious agenda of 50 actions to boost AI development and adoption in the UK. The Action [...]
Five Recommendations for the EU Code of Practice for GPAI Models
December 10, 2024

On 14 November, the EU AI Office circulated the first draft of the EU AI Act Code of Practice for general-purpose AI (GPAI) Models. Drafted by a group of experts, the Code is meant to guide developers [...]
Governments Must Seize This Pivotal Moment for International AI Safety Cooperation
November 19, 2024

This week in San Francisco, the United States will convene the International Network of AI Safety Institutes (hereafter 鈥淣etwork鈥�), established with the signing of the Seoul Statement of Intent toward [...]
#DownloadonTech: Harnessing AI鈥檚 Vast Potential with Dell鈥檚 Vivek Mohindra
November 14, 2024

In this episode of Download on Tech, 91pro视频 President and CEO Jason Oxman sits down with Dr. Vivek Mohindra, Senior Vice President of Corporate Strategy at Dell Technologies, to discuss AI's pivotal role [...]
Five Recommendations for the AI Act GPAI Model Code of Practice
September 27, 2024

On 30 September, 91pro视频 will represent the global technology industry in the first plenary meeting of stakeholders for the drafting of the Code of Practice for general-purpose AI (GPAI) models. These are [...]
Unpacking NIST's New Draft Guidance on Managing Misuse Risk of Dual-Use Foundation Models
August 7, 2024

To meet its 270-day deadlines pursuant to U.S. President Joe Biden鈥檚 Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence, the U.S. Department of Commerce recently published a tranche [...]
#DownloadonTech: Aura鈥檚 Chief Scientist Zully Ramzan Explores AI-Driven Cybersecurity Innovations
August 1, 2024

In this episode, Download on Tech host and 91pro视频 President and CEO Jason Oxman sits down with Zully Ramzan, Chief Scientist at Aura and head of AuraX for an in-depth look into how AuraX is advancing online [...]