The Irish Data Protection Commission (DPC) has issued new guidance highlighting the significant General Data Protection Regulation (GDPR) risks associated with the development and use of Artificial Intelligence (AI). This guidance serves as a crucial reminder for individuals, organisations, and AI product designers to ensure their AI systems comply with data protection requirements, especially given the rapid adoption of AI technologies.
DPC's New AI Guidance: A Call for GDPR Compliance
The DPC’s guidance provides a high-level overview of AI tools and outlines the potential risks for individuals, organisations, and product developers. It particularly emphasises that popular AI systems, such as large language models (LLMs) used in generative AI chatbots, are often trained on vast datasets, which may include publicly accessible personal data. When personal data is involved, GDPR and other data protection regulations become applicable to all parties involved.
Unforeseen Risks and GDPR Principles
Nicola Barden, a data protection expert at Pinsent Masons, noted that the guidance aims to encourage all AI users to consider the consequences of using personal data, especially those they might not be aware of. The DPC highlights that AI introduces new, previously unrecognised risks. For instance, the processing of personal data input into or used to train AI models can impact GDPR principles such as ‘lawfulness, fairness and transparency’ and ‘purpose limitation’.
Key Takeaways for AI Users and Developers
- Automated Decision-Making: The guidance warns against the risks of automated decision-making without critical human analysis, which can lead to bias and potential harm.
- Data Minimisation: It addresses the use of unnecessarily large amounts of personal data.
- Data Subject Rights: Individuals and organisations must have processes in place to facilitate data subject rights, including access, rectification, and erasure, particularly concerning personal data held within AI systems.
- Data Protection Impact Assessments (DPIAs): AI designers, developers, and providers are advised to conduct DPIAs and consider lawful bases for processing, data sharing agreements, privacy notices, and storage limitation principles.
Preparing for Future Compliance
The DPC’s guidance comes shortly after the Irish government launched a public consultation on the national implementation of the new EU AI Act. This act will require AI system providers and users to comply with relevant data privacy regulations. Irish businesses are encouraged to begin preparing technical documentation and data governance policies to ensure compliance with both the new legislation and existing GDPR requirements.
Barden suggests that organisations, in their eagerness to adopt AI, may have overlooked these crucial data protection considerations. The DPC’s guidance serves as a timely reminder that data protection must be an integral part of AI development and deployment from the outset.
