Privacy Advocates View EDPB Opinion on Personal Data for AI Training as a 'Rorschach Test'

The opinion, which the Irish Data Protection Commission (DPC) requested, stated that data controllers may rely on "legitimate interest" (LI) as a legal basis under the General Data Protection Regulation (GDPR) for personal data processing when they develop and deploy AI models.

Among other things, the DPC asked how data controllers can demonstrate the appropriateness of LI as a legal basis when they develop and deploy AI models. The opinion covers only the subset of AI models that are trained with personal data, the EDPB noted.

The opinion set out general considerations for data protection authorities (DPAs) to consider when deciding if LI is an appropriate basis for personal data processing carried out for a particular AI model. Data controllers are responsible for making that call based on a three-step test that: (1) Identifies the LI the controller or a third party has in processing the data; (2) Analyzes the need of the processing for the purpose of the LI; and (3) Gauges whether the LI pursued is overridden by a data subject's fundamental rights.

LI must be lawful, clearly and precisely articulated and not speculative, the opinion said. The second prong of the test requires the data controller to consider whether the processing will enable pursuit of the LI or whether there's a less intrusive method. If a data subject’s interests, rights and freedoms seem to override the controller's LI, the controller could consider mitigation measures that would limit the impact on the individual.

The EDPB noted that since AI models trained with personal data can't in all cases be considered anonymous, DPAs should review a data controller's documentation showing the anonymity of the model to make that determination.

While at first glance the opinion might appear to offer a strong reaffirmation of GDPR principles, countering strong industry pressure to relax safeguards, many digital rights advocates worry that the focus on LI as a basis for processing data "weakens the requirements for companies to get explicit consent from people," EDRi said

This paves the way for companies to use personal data without permission, making it easier to train AI systems on people's information and allowing them to bypass privacy safeguards, leading to potential misuse of data, surveillance and bias in AI, according to EDRi.

The debate around using LI as a legal basis for processing personal data is central to AI regulation, EDRi noted. Consent is another basis, but businesses often dismiss it as inconvenient or impractical, EDRi added, and LI has been framed as a compromise. While the GDPR doesn't favor one legal basis over another, prioritizing consent aligns more closely with a rights-based approach that ensures data protection isn't sacrificed for the convenience of data-driven industries, EDRi argued in its post.

The EDPB opinion rightly recognized that AI models trained on personal data can't automatically be deemed anonymous because the models may memorize and reproduce elements of data they were trained on, raising concerns about potential re-identification and processing of personal data, EDRi said. This clarification was crucial because it reaffirmed that transforming personal data through AI training doesn't do away with GDPR obligations, it said. But, it added, the opinion should have explicitly stated that achieving true data anonymization is "in fact, virtually impossible for any of the current commercial model families, without worsening their performance considerably."

Other problems with the opinion include that it gives data protection authorities too much discretion, risking fragmented enforcement and inconsistent interpretations across jurisdictions, and that it assumes that AI developed by private companies will inherently serve the public good, EDRi said.

The EDPB isn't aware of complaints or requests for clarification of its opinion, a spokesperson told us previously. The spokesperson noted, however, that doesn't mean there might not be complaints. The DPC said previously it's still assessing the opinion, and that it has contacted all data controllers about it.