The European Data Protection Board (EDPB) issued an opinion on December 18, 2024, clarifying the use of personal data in developing and deploying AI models. The opinion focuses on three main issues: determining when AI models can be considered anonymous, assessing the use of legitimate interest as a legal basis for data processing in AI development, and evaluating the implications of using unlawfully processed personal data in AI training. It also addresses the use of both first-party and third-party data.
Prior to its release, there was significant debate, especially from industry stakeholders like Bitkom, a German digital association, which warned of potential overregulation stifling innovation. The EDPB’s opinion outlines the use of personal data in AI training and deployment, focusing on three key areas: the criteria for AI model anonymity, the applicability of legitimate interest as a legal basis for data processing, and the implications of using unlawfully processed data. It also considers the challenges of using both first-party and third-party data.
Bitkom also lamented the lack of dialogue between the EDPB and industry representatives before drafting the opinion. It called for pragmatic data protection policies and clearer guidelines for balancing interests, ensuring legal certainty for businesses while safeguarding individuals‘ rights.
The EDPB’s opinion seeks to provide clarity on key issues while ensuring compliance with the GDPR. It emphasizes the need to assess AI models‘ anonymity on a case-by-case basis, ensuring that individuals cannot be identified or their personal data recovered. While proposing a list of non-binding methods for verifying anonymity, the EDPB acknowledges the diversity and complexity of AI models, encouraging flexible, context-specific evaluations.
Regarding legitimate interest, the statement includes general considerations and outlines the already known three-step approach which both the ECJ as well as the EDPB just recently repeated in more detail – see e.g. Guidelines 1/2024 on the processing of personal data based on Article 6 (1) lit. f GDPR – to evaluate its applicability and lawfulness. This test should ensure the necessity of data processing, considers the balance of interests between parties, and assesses whether individuals could reasonably expect their data to be processed while taking into account data protection principles such as data minimization.
If the balance test indicates that processing would have negative impacts, the statement suggests mitigation measures. These could include technical solutions, facilitating individuals’ rights, or enhancing transparency.
For unlawfully processed personal data, the statement asserts that using such data for AI models might render their deployment unlawful unless proper anonymization has occurred. The EDPB thus confirms the fruit of the poison tree theory that has already been discussed, according to which a data processing activity that has already become unlawful also extends to the processing activities based on that activity.
Given the rapid development and diversity of AI models, the statement serves as a framework for case-by-case analysis. It also mentions that the EDPB is working on additional guidelines addressing specific issues like web scraping.
In practice, the opinion of the EDPB is likely to mean more intensive work when negotiating contracts. It is therefore vital to ensure that companies offering AI models provide appropriate proof of conformity, that their model is free of personal data or that the conditions under which this data may be further processed are met.
In any case, possible liability cases should be sufficiently clearly regulated in advance in order to at least exclude financial damages resulting from the use of this technology.
The EDPB opinion can be found here.
