Why the GDPR Is Crucial for the Use of AI
The development and use of artificial intelligence (AI) are undeniably central aspects of the modern technology industry. However, as AI’s appetite for data continues to grow, data protection is becoming an indispensable tool for regulating it. Recent developments at Meta demonstrate just how crucial the General Data Protection Regulation (GDPR) is to the regulation of AI.
The Meta AI Case: A Wake-Up Call for Data Privacy
In late May 2024, Meta informed its users about its plans to expand the use of AI across the platform. The announcement stated: “We are preparing to expand the use of AI across Meta to your region. ‘AI at Meta’ refers to all of our features and experiences that utilize generative AI—such as Meta AI and AI Creative Tools—as well as the models that power them.”
Meta planned to amend its privacy policy and, going forward, rely on legitimate interests to use user information for the further development of AI. However, this met with significant resistance from data protection advocates. The Hamburg Data Protection Authority and other European supervisory authorities received numerous complaints against Meta’s new privacy policy.
Following a meeting with the Irish Data Protection Commission (IDPC) on June 13, 2024, Meta decided to suspend the use of user data to train its own AI applications until further notice. This demonstrates how strictly data protection authorities monitor compliance with the GDPR.
Data Protection as a Regulator for AI
The GDPR sets clear limits on the use of personal data, including when it comes to training AI systems. The so-called Hambach Declaration issued by data protection supervisory authorities emphasizes that AI systems may only be used for purposes that are constitutionally legitimate. The principle of purpose limitation is crucial: any additional processing purposes must be compatible with the original purpose for which the data was collected.
In their latest guidance on AI, the supervisory authorities have made it clear that selecting and training AI applications in compliance with data protection regulations is crucial. There must be a legal basis for the use of personal data for training purposes, such as informed consent.
Data Protection Authorities as Potential AI Regulators
Data protection supervisory authorities recommend designating the Federal Commissioner for Data Protection and Freedom of Information (BfDI) and the state data protection authorities as market surveillance authorities under the proposed AI Act. This would enable a single point of contact for consultation and oversight and ensure compliance with the GDPR and the AI Act.
In Lower Saxony, the State Data Protection Commissioner is convening an expert panel on artificial intelligence, which is intended to provide impetus for the use of AI in government and business. The panel’s findings will be presented to the Lower Saxony State Parliament.
Conclusion: The GDPR and the AI Act as the key to minimizing AI risks
Alongside the AI Act, the GDPR remains the key tool for minimizing the risks associated with artificial intelligence. User data cannot simply be used as training data for AI; there must always be a legal basis, such as informed consent. The Meta case shows that data protection authorities are vigilant and that companies must strictly adhere to legal requirements.