The title [ChatGPT & Co.: EU Data Protection Officer Defends Data Minimization] and the statement It is a misconception that the principle of adequate data usage with AI has no place anymore, writes the EU Data Protection Officer in guidelines.
EU Data Protection Officer Wojciech Wiewiórowski has released guidelines on generative Artificial Intelligence (AI) and personal data for the EU administration. In the guidelines, he addresses privacy concerns in the era of chatbots and language models, as well as the conflict with the principle of data minimization from the General Data Protection Regulation (GDPR).
Wiewiórowski explains that the principle of data minimization remains essential in the age of AI. It is crucial to ensure that processed personal data are appropriate and relevant and limited to the extent necessary for the purposes pursued.
He highlights that using large datasets to train a generative AI system does not necessarily lead to higher effectiveness or better results. The key lies in designing well-structured datasets, focusing on quality over quantity, monitoring the training process closely, and regularly checking the results.
Organizations are obligated to limit the collection and processing of personal data to what is necessary and avoid acting randomly. EU institutions must consider available methods to minimize the use of personal data when developing and using generative AI models.
The processing of personal information in generative AI systems requires a legal basis in line with the GDPR. Wiewiórowski emphasizes that when implementing a legal obligation, the basis in EU law must be clear and precise. The use of consent as a legal basis must be carefully evaluated to meet all GDPR requirements.
Furthermore, a data protection impact assessment is required before any processing operation likely to pose a high risk to individuals’ rights and freedoms. Relevant risks should be identified and addressed throughout the lifecycle of the generative AI system, especially during updates and advancements.
Despite efforts to contain them, generative AI systems still tend to produce inaccurate results. This could negatively impact fundamental rights and violate the GDPR requirement for data accuracy. EU institutions must continuously monitor AI systems with this focus.
If the technology is intended to support decision-making processes, EU institutions must consider legality, fairness, and the risk of discrimination. According to the right to information, individuals should receive meaningful information about the logic, significance, and possible consequences of profiling and automated decisions.
