{"id":1321,"date":"2024-12-19T02:58:24","date_gmt":"2024-12-19T02:58:24","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1321"},"modified":"2024-12-19T02:58:24","modified_gmt":"2024-12-19T02:58:24","slug":"european-authorities-say-ai-can-use-personal-data-without-consent-for-training","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1321","title":{"rendered":"European authorities say AI can use personal data without consent for training"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The European Data Protection Board (EDPB) issued a wide-ranging report on Wednesday exploring the many complexities and intricacies of modern AI model development. It said that it was open to potentially allowing personal data, without owner\u2019s consent, to train models, as long as the finished application does not reveal any of that private information.<\/p>\n

This reflects the reality that training data does not necessarily translate into the information eventually delivered to end users.<\/p>\n

The report was requested by the Irish Data Protection Authority (DPA) \u201cwith a view to seeking Europe-wide regulatory harmonisation,\u201d the EDPB said in its statement<\/a>.\u00a0<\/p>\n

The group has now acknowledged that there are nuances to personal data. For example, the EDPB report said, it can make a difference if the personal data had been made publicly available and if \u201cindividuals are actually aware that their personal data is online.\u201d<\/p>\n

Arguably the most significant part of the report acknowledges that sometimes personal data, even when no explicit consent is granted, can still be used in training and be in compliance with the European Union\u2019s (EU\u2019s) GDPR rules<\/a>, provided that nothing especially sensitive emerges from the answers given by the final product.<\/p>\n

The report\u2019s regulatory wording says: \u201cIf it can be demonstrated that the subsequent operation of the AI model does not entail the processing of personal data, the EDPB considers that the GDPR would not apply. <\/p>\n

\u201cHence, the unlawfulness of the initial processing should not impact the subsequent operation of the model. Further, the EDPB considers that, when controllers subsequently process personal data collected during the deployment phase, after the model has been anonymised, the GDPR would apply in relation to these processing operations. In these cases, the Opinion considers that, as regards the GDPR, the lawfulness of the processing carried out in the deployment phase should not be impacted by the unlawfulness of the initial processing.\u201d<\/p>\n

Questions to ask<\/h2>\n

The full report<\/a> is aimed at data protection supervisory authorities (SAs), but the guidance applies equally to enterprises seeking approval from SAs for their data processing activities. It suggested various questions for them to ask to determine generative AI (genAI) compliance.\u00a0They include:<\/p>\n

\u201cAt what stage of the processing operations leading to an AI Model is personal data no longer processed?\u201d<\/p>\n

\u201cHow can it be demonstrated that the AI model does not process personal data?\u201d<\/p>\n

\u201cAre there any factors that would cause the operation of the final AI Model to no longer be considered anonymous? If so, how can the measures taken to mitigate, prevent, or safeguard against these factors, so as to ensure the AI Model does not process personal data\u2013be demonstrated?\u201d<\/p>\n

Anonymization \u2014 any of several processes to remove or hide sensitive information from end users \u2014 is also complex and tricky, the report said.\u00a0<\/p>\n

\u201cClaims of an AI model\u2019s anonymity should be assessed by competent [authorities] on a case-by-case basis, since the EDPB considers that AI models trained with personal data cannot, in all cases, be considered anonymous,\u201d the report noted. <\/p>\n

\u201cFor an AI model to be considered anonymous, both the likelihood of direct \u2014 including probabilistic \u2014 extraction of personal data regarding individuals whose personal data were used to develop the model and the likelihood of obtaining, intentionally or not, such personal data from queries, should be insignificant, taking into account all the means reasonably likely to be used by the controller or another person.\u201d<\/p>\n

Then it explored the issue of what is in the heads of individuals whose personal information is being used to train the genAI models.<\/p>\n

Considerations for CIOs<\/h2>\n

It said SAs must consider \u201cthe role of data subjects\u2019 reasonable expectations in the balancing test. This can be important due to the complexity of the technologies used in AI models and the fact that it may be difficult for data subjects to understand the variety of their potential uses, as well as the different processing activities involved. In this regard, both the information provided to data subjects and the context of the processing may be among the elements to be considered to assess whether data subjects can reasonably expect their personal data to be processed.\u201d<\/p>\n

For CIOs wanting to keep on the right side of the SA ruling on their data usage the considerations, the report said, would be:<\/p>\n

Whether or not the personal data was publicly available.<\/p>\n

The nature of the relationship between the data subject and the controller, and whether a link exists between the two.<\/p>\n

The nature of the service.<\/p>\n

The context in which the personal data was collected.<\/p>\n

The source from which the data was collected (for example, the website or service where the personal data was collected and the privacy settings they offer).<\/p>\n

The potential further uses of the model, and whether data subjects are actually aware that their personal data is online at all.<\/p>\n

The report also explored whether the data being used for genAI can be defined as a \u201clegitimate interest.\u201d<\/p>\n

Is there, it asked, \u201cno less intrusive way of pursuing this interest? When assessing whether the condition of necessity is met, SAs should pay particular attention to the amount of personal data processed and whether it is proportionate to pursue the legitimate interest at stake, also in light of the data minimization principle.\u201d<\/p>\n

Stop looking for excuses<\/h2>\n

Various European business people reacted to the report in social media forums, including on LinkedIn.\u00a0<\/p>\n

Peter Craddock, a partner in the Brussels law firm Keller and Heckman, said the report doesn\u2019t explore what makes data personal, and simply assumes that all data is indeed personal until proven otherwise.\u00a0<\/p>\n

\u201cNowhere does the EDPB seem to look at whether something is actually personal data for the AI model provider. It always presumes that it is, and only looks at whether anonymization has taken place and is sufficient,\u201d Craddock wrote. \u201cIf insufficient, the SA would be in a position to consider that the controller has failed to meet its accountability obligations under Article 5(2) GDPR.\u201d<\/p>\n

And in a comment on LinkedIn that mostly supported the standards group\u2019s efforts, Patrick Rankine, the CIO of UK AI vendor Aiphoria, said that IT leaders should stop complaining and up their AI game.<\/p>\n

\u201cFor AI developers, this means that claims of anonymity should be substantiated with evidence, including the implementation of technical and organizational measures to prevent re-identification,\u201d he wrote, noting that he agrees 100% with this sentiment. \u201cThis is not that hard, and tech companies need to stop being so lazy and looking for excuses. They want to do great things building tech, but then can\u2019t be bothered treating the data they need for their great tech respectfully or responsibly.\u201d<\/p>\n

He scoffed at other comments suggesting that these suggested rules would encourage high-tech firms to leave Europe.<\/p>\n

\u201cYou can\u2019t be serious,\u201d Rankine said. \u201cIt\u2019s completely possible to protect the data of individuals and have a thorough set of useful data to train with. It requires a bit of effort and consideration. I think the legitimate interest clause needs an overhaul anyway. It\u2019s becoming rife everywhere and is definitely being used for non-legitimate means. I\u2019ve seen entire websites harvesting personal data and then claiming it\u2019s operating on the basis of legitimate interest.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The European Data Protection Board (EDPB) issued a wide-ranging report on Wednesday exploring the many complexities and intricacies of modern AI model development. It said that it was open to potentially allowing personal data, without owner\u2019s consent, to train models, as long as the finished application does not reveal any of that private information. This […]<\/p>\n","protected":false},"author":0,"featured_media":1322,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1321","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1321"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1321"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1321\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1322"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1321"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1321"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1321"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}