Eight-point plan for com­pli­ance of AI sys­tems with data pro­tec­tion law

The tem­po­ra­ry ban­ning of the AI tool ChatGPT in Ita­ly has unleas­hed an inten­si­ve deba­te con­cer­ning requi­re­ments in data pro­tec­tion law for the deve­lo­p­ment, ope­ra­ti­on and use of AI sys­tems. Ger­man data pro­tec­tion aut­ho­ri­ties are also curr­ent­ly inves­ti­ga­ting whe­ther ChatGPT meets the requi­re­ments of data pro­tec­tion law. To this end, the aut­ho­ri­ties have sent over a pri­va­cy ques­ti­on­n­aire to ChatGPT’s ope­ra­tor, Open AI, con­sis­ting of over 40 ques­ti­ons. This ques­ti­on­n­aire pro­vi­des inte­res­t­ing insight into the ongo­ing inves­ti­ga­ti­on and the approach taken by the data pro­tec­tion aut­ho­ri­ties. But the ques­ti­on­n­aire may also be useful to com­pa­nies in a varie­ty of other ways when it comes to asses­sing and impro­ving the com­pli­ance of AI sys­tems with data pro­tec­tion law.

An eight-point plan for com­pli­ance of AI sys­tems with data pro­tec­tion law

For exam­p­le, along­side in-depth audits of the deve­lo­p­ment, ope­ra­ti­on and use of AI sys­tems, we can deri­ve the fol­lo­wing eight-point plan for a rapid assess­ment of this ques­ti­on. Accor­ding to this plan, an AI sys­tem con­forms to the requi­re­ments of the GDPR if …

  1. … the prin­ci­ples of data pro­ces­sing (e.g. pur­po­se limi­ta­ti­on, data mini­miza­ti­on and sto­rage limi­ta­ti­on) are observed;
  2. … a legal basis can be cited for the pro­ces­sing of all per­so­nal data and if the spe­cial requi­re­ments in Artic­le 9 of the GDPR are met when pro­ces­sing spe­cial cate­go­ries of per­so­nal data;
  3. … the pro­ces­sing is con­duc­ted in a trans­pa­rent man­ner and the rights of data sub­jects are protected;
  4. … the requi­re­ments for data secu­ri­ty, data pro­tec­tion by design and data pro­tec­tion by default are met;
  5. … a data pro­tec­tion impact assess­ment was con­duc­ted;
  6. … the pro­tec­tion of child­ren and ado­le­s­cents is ensured;
  7. … an ade­qua­te level of data pro­tec­tion is ensu­red in case of third-country trans­fers;
  8. … ques­ti­ons rela­ting to legal lia­bi­li­ty and com­pli­ance have been cla­ri­fied in the event that the data is used by other ser­vices or companies.

Assess­ment and outlook

It is evi­dent that the­re is a fun­da­men­tal ten­si­on bet­ween AI and pri­va­cy. As a result, the com­pli­ance of AI sys­tems with the GDPR will con­ti­nue to be a mat­ter of con­cern in the future not only for the aut­ho­ri­ties but in dai­ly prac­ti­ce as well. The pro­po­sed AI Regu­la­ti­on is also likely to pose various legal chal­lenges with regard to the use of AI. But this ques­ti­on­n­aire from the data pro­tec­tion aut­ho­ri­ties pro­vi­des con­trol­lers with a varie­ty of ways to moni­tor and impro­ve their com­pli­ance with data pro­tec­tion law and tho­se who deve­lop, ope­ra­te or use AI sys­tems should act accordingly.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.