CLVPartners

CLV-02
Menu

data processing

Data protection considerations related to the development of AI models

Data protection, News / / , , , , , , , ,

Reading time: 5 minutes

Artificial intelligence (“AI“) is a rapidly evolving family of technologies that contributes to a wide range of economic, environmental, and social benefits across all sectors and social activities. By improving predictive accuracy, optimizing operational processes and the allocation of resources, and enabling the personalization of digital solutions available to individuals and organizations, the use of AI can confer a decisive competitive advantage on businesses while also delivering beneficial social and environmental outcomes.

The use of artificial intelligence, alongside its potential benefits, is also associated with certain risks. In order to mitigate these risks, Regulation (EU) 2024/1689 of the European Parliament and of the Council on artificial intelligence (“AI Act”) has been adopted, several provisions of which have already entered into force. At the same time, the development of many AI models involves the use of personal data, which raises the question of how the AI Act affects data processing activities related to AI systems.

The relationship between the AI Act and the GDPR

The AI Act makes it clear that it does not amend the application of existing EU rules on the processing of personal data, including the requirements set out in the GDPR. Accordingly, organizations falling within the scope of the AI Act must, in the course of their data processing activities, comply fully with the provisions of the GDPR.

Through the enforcement of the right to the protection of personal data, the GDPR also supports the effective exercise of other fundamental rights, including, inter alia, freedom of thought and expression, the right to information and education, and the freedom to conduct a business. On this basis, it can be concluded that the GDPR establishes a legal framework that facilitates responsible innovation, including the responsible development and deployment of AI-related technologies.

Data protection considerations in relation with the development of AI Models

In connection with the development of AI models, the European Data Protection Board (“EDPB”) adopted a standalone opinion on data protection aspects arising in relation to the processing of personal data in the context of artificial intelligence models (“Opinion”).

The Opinion examines how personal data may be used in the development of AI models and highlights the issues requiring particular attention when placing on the market AI systems developed using personal data.

Lifecycle of AI Models

The EDPB divides the lifecycle of AI models into two stages, emphasizing that data processing may occur in either of them. The first stage covers the processes preceding the deployment of the model (including e.g. its creation, development, the training, the fine-tuning). The second stage relates to the deployment phase, encompassing the use of the model following its development.

Existence of a legal basis for data processing by data controllers

One of the cornerstones of data protection regulation is that personal data may only be processed where a specific legal basis exists. The Opinion reiterates the general expectation that data controllers must determine the appropriate legal basis for their processing activities.

However, the EDPB found that, as a general rule, an AI model developer may rely on legitimate interest as a legal basis, provided that the existence of such legitimate interest is duly substantiated. For this purpose, a three-step test – already familiar to those with experience in data protection compliance practice – serves to properly assess whether a legitimate interest genuinely exists.

The EDPB emphasizes that the balancing test must take into account whether the data subjects can reasonably expect their personal data to be used. The Opinion is significant in this regard because it sets out several criteria intended to assist data protection authorities in assessing the “reasonably foreseeable” criteria

The Opinion also recalls that, where it appears that the interests, rights, and freedoms of data subjects override the legitimate interests of the data controller or of a third party, all is not lost. Namely, the data controller may consider the implementation of mitigating measures to limit such adverse effects. These may include, for example, pseudonymization, or measures aimed at masking personal data or replacing them with fictitious personal data within the training dataset. The introduction of appropriate data protection measures can make data processing lawful again.

Anonymity

The GDPR classifies as personal data any information relating to an identified or identifiable natural person, whether directly or indirectly. According to the position of the EU institution, in the context of AI model development, personal data may only be used where they are properly anonymized, such that even in the event of a potential reverse engineering of the model, the identification of data subjects is not possible. With regard to anonymization, the EDPB emphasizes that the competent data protection authorities must assess, on a case-by-case basis, whether the organization developing the AI model has complied with this requirement. The body also sets out several recommended technique that may be suitable for preserving anonymity (e.g. prevent or limit the extraction of personal data used for training purposes).

Summary

The EU body emphasizes in its Opinion that compliance with data protection requirements governing the processing of personal data must be ensured throughout both the development and deployment of AI models. It is evident that the expansion of AI and its potential risks are being treated and monitored as a priority in law enforcement, and therefore numerous regulatory guidelines from authorities can be expected in the near future.

Photo source: pexels.com, Tara Winstead

Data protection considerations related to the development of AI models Read More »

Statement of the EDPB on data processing during the coronavirus epidemic

Company groups, Data protection, Medium-sized companies, News, Start-ups / / , , , , , ,

The European Data Protection Board (“EDPB”) has issued a statement on its website on data processing during the coronavirus epidemic.Please find our summary of the statement below:
1. The conditions of processing health data, as special category of data shall be specified by the national law in accordance with the GDPR. In this regard, the GDPR requires that the lawmaker defines specific measures and the suitable safeguards of the rights of the data subjects.

2. As per the position of the Hungarian Data Protection Authority emphasized, in the event of medical examinations such as body temperature measurement, this safeguard is the presence of a healthcare professional, therefore it is still not possible to implement such measurement at the workplace without the presence of a professional.

3. According to the EDPB’s position, the employers should inform employees if a coronavirus infected person has been identified at the workplace (to take the necessary protective measures), without revealing the identity of said person. The concerned employees shall be informed in advance and their dignity and shall be protected. Information on the infection should be first and foremost disclosed to those entitled to process these data, such as authorities and treating physicians if requested.

As the GDPR allows for a wide range of derogations in national law, we can expect a more detailed regulation of the data processing in relation to the epidemic.

The content of this article is not exhaustive and does not constitute a legal advice. Should you have any specific questions regarding any issues investigated by our articles, please contact us and we will be happy to be at your disposal.

Statement of the EDPB on data processing during the coronavirus epidemic Read More »

ON THE DATA PROCESSING RELATED TO THE CORONAVIRUS EPIDEMIC

Company groups, Data protection, Medium-sized companies, News, Start-ups / / , , , ,

The Hungarian Data Protection Authority („HDPA”, „Authority”) has issued on its website a briefing regarding data processing related to the coronavirus epidemic, also including certain general legal obligations beyond data protection. We have summarized the most important details as follows:
1. It is not only a vital interest but also a legal obligation of employers to provide a healthy and safe workplace.

2. Prior to any data processing, employers may be expected to create an epidemic action plan (preventive measures, allowing alternative working conditions (“home office”), procedure to be followed if the infection appears, assignment of responsible personnel within the company, implementation of a reporting system).

3. As a preventive measure within the action plan, it is recommended to provide employees with all necessary details, especially on the most critical information on the coronavirus (rules of hygiene, symptoms, who to report to within the company). The document titled “Procedure regarding the novel coronavirus identified in the year 2020” published on the website of the National Public Health Center could provide helpful for employers when wording the information.

4. According to the Labour Code, the employees shall report to the employer if they have knowledge of a risk of infection, including the risk of their own illness. With regards to this, the reporting system shall be implemented in a way that allows for confidential processing of data.

5. In the event of a report or suspicion of infection the HDPA considers filling out a questionnaire appropriate. Particular attention shall be paid to data minimisation. Employers shall not process the data of the suspected employee related to the epidemic beyond the questionnaire. The Authority specifically notes that data related to medical history or medical documentation shall not be requested or processed by the employer!

6. It needs to be emphasized that the employer shall not begin contact investigation, this should be entrusted with the investigating authority having jurisdiction!

7. Also important to note, the employer shall not conduct medical examination (i.e. use of thermometer), however, the professional examination of employees may be initiated through the involvement of healthcare professionals (first and foremost the company doctor).

8. The legal ground for the above data processing is based on the employer’s legitimate interest, if the medical examination of employees becomes necessary, the exceptional purpose of processing shall be in the interest of providing a healthy workplace.

9. It is recommended for employers to favour measures that do not result in the processing of data (following basic hygiene, providing disinfectants, proper cleaning). We would also like to note that the legislation does not allow for employers to distribute vitamins, medicine or immune-boosting products, etc. among its employees, therefore these are not legally possible as a preventive measure.

ON THE DATA PROCESSING RELATED TO THE CORONAVIRUS EPIDEMIC Read More »

CLVPartners
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.