ChatGPT & Co.: EU data protection officer defends data minimization
It is a misconception that the principle of appropriate data use no longer has any place with AI, writes the EU Data Protection Supervisor in guidelines.
(Image: mixmagic/Shutterstock.com)
The EU Data Protection Supervisor Wojciech Wiewiórowski published guidelines on generative artificial intelligence (AI) and personal data for the EU administration on Monday. In it, he addresses the issue of privacy in times of chatbots and language models as well as the conflict with the principle of data minimization from the General Data Protection Regulation (GDPR).
It is a misconception that the principle of data minimization has outlived its usefulness in the age of AI , explains Wiewiórowski. Ultimately, it is about ensuring that the personal data processed is "adequate and relevant" and is "limited to what is necessary" for the purposes pursued.
Quality vs. quantity
"Using large amounts of data to train a generative AI system does not necessarily mean greater effectiveness or better results", writes Wiewiórowski in the paper. Rather, "the careful design of well-structured data sets", the principle of quality over quantity, a well-monitored training process and regular monitoring of the results are crucial.
Those responsible are therefore obliged to limit the collection and other processing of personal data to what is necessary and not to act indiscriminately. According to the inspector, EU institutions must ensure that the available procedures for minimizing the use of personal data are taken into account when developing and using generative AI models.
The processing of personal information in the context of generative AI systems "requires a legal basis" in accordance with the GDPR, emphasizes Wiewiórowski. If a legal obligation is to be implemented, its basis must be clearly and precisely defined in EU law. The use of consent as a legal basis must be carefully examined, as all requirements of the GDPR must be met.
The regulation also requires a data protection impact assessment prior to any processing operation "likely to result in a high risk to the fundamental rights and freedoms of individuals". Relevant risks must be "identified and addressed throughout the lifecycle of the generative AI system", especially in the case of further developments and updates.
AI hallucinations not compatible with GDPR
Despite major containment efforts by operators, "generative AI systems still tend to deliver inaccurate results", writes Wiewiórowski. This could also have a negative impact on fundamental rights and violate the GDPR requirement for data accuracy. Even with this focus, EU institutions would have to constantly monitor AI systems.
If the technology is intended to support decision-making processes, EU institutions would have to consider legality, fairness and the risk of discrimination. In accordance with the right to information, data subjects would have to receive meaningful information about the logic, significance and possible consequences of profiling and automated decisions .
(olb)
