Module 5: Existing Laws & AI · BoK III.A
The EDPB Opinion on AI Models (2024)
Prompted by the Irish DPA, the European Data Protection Board harmonised how the GDPR treats AI models in three answers: when a model is anonymous, when legitimate interest is a valid basis (the Interest → Necessity → Balance test), and how to handle unlawfully processed training data.
The Irish DPA asked the European Data Protection Board to harmonise how the GDPR treats AI models. Three questions, three answers.
- Part 1 · When is a model anonymous? Assessed case-by-case. Anonymous only if (1) personal data from the training set cannot be extracted out of the model AND (2) outputs from querying do not relate to the data subjects whose data trained it.
- Part 2 · Legitimate interest as a basis. Apply a three-step test → is there a lawful and legitimate interest? Is processing really necessary for it? Balancing test → do individuals' interests and rights override it?
- Part 3 · Unlawful training data. If a model was developed on unlawfully processed personal data, the opinion addresses three scenarios, with the recurring theme that case-by-case analysis is required. Includes a nonexhaustive list of mitigating measures.
Mnemonic · Interest → Necessity → Balance
The EDPB's three-step legitimate-interest test, in order.
Reasonable-expectation criteria (Part 2 extras)
Whether the data is publicly available · the relationship between controller and individual · the nature of the service · the context and source of collection · potential further uses of the model · whether individuals are aware their personal data is online.
Key terms - quick answers
What is “EDPB opinion (2024)”?
European Data Protection Board opinion (prompted by the Irish DPA) on anonymity, legitimate interest and unlawful training data for AI models.
What is “Legitimate interest test”?
Three-step test - Interest → Necessity → Balance - to rely on legitimate interest as a lawful basis.