The European Data Protection Board Releases Opinion on Artificial Intelligence

On December 18, 2024, the European Data Protection Board (EDPB) issued an opinion on personal data use in artificial intelligence (AI) in response to the Irish Data Protection Commission's request for more clarity regarding how the EU General Data Protection Regulation (GDPR) applies to AI. 

The EDPB's opinion offers a robust framework for the ethical use and development of AI. The EDPB outlined that AI developers can use legitimate interest as a legal basis for model training; however, Data Protection Authorities should apply a three-step test:

1. identify if there is a legitimate interest by the controller;
2. determine if the processing is necessary; and 
3. balance the interests or fundamental rights and freedoms of data subjects with the legitimate interest of AI use.

The EDPB stressed that AI models developed with unlawfully processed personal data face significant legal scrutiny and:

1. Controllers must address and rectify any non-compliance during development; and
2. DPAs retain the discretion to enforce corrective measures, such as retraining the model or deleting unlawfully processed data.

The opinion supports the use of AI in threat detection and cybersecurity under legitimate interest. The EDPB emphasizes the need for careful risk assessments and strict adherence to GDPR principles. In addition, the EDPB reiterates the importance of data minimization and transparency in AI model lifecycle management. It highlights governance practices such as regular audits, training and documentation to ensure compliance. The EDPB also stresses the need for robust anonymization techniques.  

The EDPB is preparing additional guidelines to address anonymization, web scraping and automated decision-making.  The EDPB reinforces that AI models must adhere to GDPR principles not only for compliance but also to foster trust and transparency in their AI-driven initiatives.