On 3 June 2024, the European Data Protection Supervisor (EDPS) published its inaugural orientations on the use of generative artificial intelligence (AI) by EU institutions, bodies, offices, and agencies (EUIs). These guidelines offer practical advice on managing personal data in compliance with Regulation (EU) 2018/1725 when deploying generative AI systems. They address a wide range of scenarios and stress adherence to fundamental data protection principles without mandating specific technical measures.
Context and Purpose
The orientations serve as a foundational step towards comprehensive guidance for EUIs. They are designed to help EUIs navigate the evolving landscape of generative AI technologies while ensuring data protection. Although the document does not delve into every potential issue, it provides initial responses and encourages EUIs to consider the broader implications of AI on data protection.
Key Questions Addressed
What is Generative AI?
Generative AI uses machine learning to produce various outputs like text, images, or audio, based on foundation models.
Can EUIs Use Generative AI?
EUIs can use generative AI if they meet all legal requirements, ensuring accountability and respect for fundamental rights.
Personal Data Processing
Generative AI involves data processing at multiple stages; compliance with data protection principles is essential.
Role of Data Protection Officers (DPOs)
DPOs advise and ensure compliance, providing crucial oversight in developing and deploying generative AI systems.
Data Protection Impact Assessments (DPIAs)
Required for high-risk processing, DPIAs help identify and mitigate risks to data protection throughout the AI lifecycle.
Lawful Processing of Personal Data
Processing is lawful if it meets one of the grounds specified in Regulation (EU) 2018/1725, such as public interest or consent.
Data Minimisation Principle
Only necessary personal data should be processed; indiscriminate data collection must be avoided to comply with this principle.
Data Accuracy Principle
Data must be accurate and up-to-date, requiring verification and regular monitoring throughout the AI system’s lifecycle.
Informing Individuals
Transparency is key; individuals must be informed about how, when, and why their data is processed by generative AI systems.
Automated Decisions (Article 24)
If AI systems involve automated decision-making, safeguards like human intervention and the right to contest decisions are necessary.
Ensuring Fair Processing and Avoiding Bias
Bias in AI systems must be minimized; EUIs need oversight mechanisms to prevent and correct unfair processing.
Exercise of Individual Rights
EUIs must facilitate individuals’ rights to access, rectify, erase, and object to data processing, ensuring transparency and traceability.
Data Security
AI systems must have robust security measures to protect against new and existing risks, with continuous monitoring and updates.
Additional Resources and Updates
Further guidance and updates will be provided as generative AI technologies evolve, ensuring EUIs remain compliant and informed.
Future Developments
The EDPS plans to refine and expand these orientations as generative AI technologies and their applications evolve. The guidelines will be updated within 12 months to incorporate new insights and developments from the EDPS’s monitoring activities.
👉 Find the guidance here.
♻️ Share this if you found it useful.
💥 Follow me on Linkedin for updates and discussions on privacy education.
📍 Subscribe to my newsletter for weekly updates and insights – subscribers get integrated view of the week and more information than on the blog.
