The temporary banning of the AI tool ChatGPT in Italy has unleashed an intensive debate concerning requirements in data protection law for the development, operation and use of AI systems. German data protection authorities are also currently investigating whether ChatGPT meets the requirements of data protection law. To this end, the authorities have sent over a privacy questionnaire to ChatGPT’s operator, Open AI, consisting of over 40 questions. This questionnaire provides interesting insight into the ongoing investigation and the approach taken by the data protection authorities. But the questionnaire may also be useful to companies in a variety of other ways when it comes to assessing and improving the compliance of AI systems with data protection law.
An eight-point plan for compliance of AI systems with data protection law
For example, alongside in-depth audits of the development, operation and use of AI systems, we can derive the following eight-point plan for a rapid assessment of this question. According to this plan, an AI system conforms to the requirements of the GDPR if …
- … the principles of data processing (e.g. purpose limitation, data minimization and storage limitation) are observed;
- … a legal basis can be cited for the processing of all personal data and if the special requirements in Article 9 of the GDPR are met when processing special categories of personal data;
- … the processing is conducted in a transparent manner and the rights of data subjects are protected;
- … the requirements for data security, data protection by design and data protection by default are met;
- … a data protection impact assessment was conducted;
- … the protection of children and adolescents is ensured;
- … an adequate level of data protection is ensured in case of third-country transfers;
- … questions relating to legal liability and compliance have been clarified in the event that the data is used by other services or companies.
Assessment and outlook
It is evident that there is a fundamental tension between AI and privacy. As a result, the compliance of AI systems with the GDPR will continue to be a matter of concern in the future not only for the authorities but in daily practice as well. The proposed AI Regulation is also likely to pose various legal challenges with regard to the use of AI. But this questionnaire from the data protection authorities provides controllers with a variety of ways to monitor and improve their compliance with data protection law and those who develop, operate or use AI systems should act accordingly.back