Irish data protection commission highlights GDPR risks in developing and using AI

The importance of AI-related GDPR compliance is the emphasis of new guidance published by the Data Protection Commission (DPC) in Ireland. The guidance provides a high level, easy to follow summary of AI tools in the market and outlines the risks and considerations in using AI for individuals, organisations and product designers, developers and providers.

Data protection expert Nicola Barden of Pinsent Masons said: “As AI is a fast-moving technology, with its rapid adoption, it is easy to see how data protection requirements can be overlooked. The DPC is using the guidance to highlight the risks of using AI to the average person. It pays particular attention to risks that individuals may not be aware of but that might impact them and others.”

The DPC explained in the document that popular AI systems using large language models (LLMs), such as chatbots based on generative AI, are often trained on many large datasets, so they are capable of understanding and generating natural language and other types of content to perform a wide range of tasks.

Sometimes, the training data includes publicly accessible data on the internet and may contain personal data. Where personal data is involved, the DPC flagged, GPDR and data protection regulations come into play, for individuals and organisations using AI systems, as well as for the model and product providers.  

“The aim of the guidance appears to be to encourage all users of AI to consider the consequences of using personal data in AI tools, particularly those that they may not be aware of. It states that AI poses new risks that were not previously recognised or given consideration,” said Barden.

In an example used by the DPC, risks can arise for users of AI products from unwanted, unneeded or unanticipated processing of personal data input to or used to train or fine tune an AI model. This may impact or involve several principles of the GDPR, including the ‘lawfulness, fairness and transparency’ principle and the ‘purpose limitation’ principle. The guidance suggested that individuals and organisations should have processes in place to facilitate the exercise of data subject rights related to the engagement with the AI products. 

The guidance also focuses on risks such as use of unnecessarily large amounts of personal data, use of AI in automated decision making, and use for purposes the individual isn’t aware of. It said that “automated decision making” can create bias and purely automated decisions without critical human analysis or intervention have the potential to cause harm.

For AI designers, developers and providers, the guidance sets out data protection considerations at a high level, including the need to carry out a data protection impact assessment and consider the lawful basis for processing, data sharing agreements, privacy notices and the principle of storage limitation.

In particular, the guidance touches on the requirement for data subjects to be able to exercise their rights effectively, such as the rights of access, rectification or erasure, and stresses that this must be considered at an early stage in development. For example, organisations should ask themselves if they can delete someone’s personal data held on the AI system, if the data subject requests it.

“These are points that organisations may have disregarded in their eagerness to get access to AI and the promise to make their work easier,” said Barden.

The publication of the guidance comes shortly after the Irish government launched a public consultation on the national implementation of the new EU AI Act, which requires AI system providers and users to comply with relevant data privacy regulations regarding the data used by the AI system. Irish businesses should start preparing technical documentation and data governance policies in order to gear up for compliance with the new legislation, the GDPR and other data protection regulations.