top of page

EDPB issues guidance on the use of personal data in AI

24/01/2025

The European Data Protection Board (EDPB) has adopted an opinion on the use of personal data for the development and deployment of AI models.


With the EU AI Act coming into force over the course of the next 24 months, the opinion looks at when and how AI models can be considered anonymous, whether and how legitimate interest can be used as a legal basis for developing or using AI models, and what happens if an AI model is developed using personal data that was processed unlawfully. It also considers the use of first and third party data.

The opinion was requested by the Irish Data Protection Authority (DPA) in a bid to seek Europe-wide regulatory harmonisation.


Considering the scope of the request from the Irish DPA, the vast diversity of AI models and their rapid evolution, the opinion aims to give guidance on various elements that can be used for conducting a case by case analysis.


In addition, the EDPB is currently developing guidelines covering more specific questions, such as web scraping.


With European jurisdictions further down the road than the U.S., enforcing the use of personal data in AI pursuant to the GDPR, and with the EU AI Act set to come into force, businesses should ensure that their data privacy and AI compliance activities are comprehensive and aligned towards mitigating non-compliance risk.


In terms of legitimate interest, the opinion provides general considerations that DPAs should take into account when they assess if legitimate interest is an appropriate legal basis for processing personal data for the development and the deployment of AI models.


A three step test helps assess the use of legitimate interest as a legal basis and the  opinion also includes a number of criteria to help DPAs assess if individuals may reasonably expect certain uses of their personal data.


The ICO Response and EDPB Opinion show that, despite the UK’s departure from the EU, the UK and EU data protection regulators remain closely aligned on their views regarding the processing of personal data in the context of AI.


Because the U.S. lacks a federal comprehensive privacy law, its regulators approach generative AI without the same sort of unified statutory framework the GDPR or EU AI Act might provide.


However, California has recently made certain controversial changes to its existing state privacy law that implicate the regulation of AI models rather than merely personal information used by AI systems.


California’s privacy regulator, the California Privacy Protection Agency, is also notably in the process of developing regulations under its privacy laws concerning automated decision-making technologies (“ADMTs”).


W Denis Europe arranges comprehensive insurance for EEA based businesses, large and small, including, Data Protection Infringement Cover, Cyber, Errors & Omissions, Directors & Officers Liability and much more.


For more information, please contact:


Eastern Europe

Vida.Jarasiunaite@wdenis.eu


Southern Europe

Christos.Hadjisotiris@wdenis.com


Western Europe &/or elsewhere worldwide

Mark.Dutton@wdenis.com

bottom of page