On 17 December 2024, the EDPB published opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models. The opinion discusses questions regarding:
- When and how an AI model can be considered as anonymous.
- How controllers can demonstrate the appropriateness of legitimate interest as a legal basis in the development and deployment phases.
- What the consequences are for unlawful processing of personal data in the development phase of an AI model on the subsequent processing or operation of the AI model.
Regarding anonymity, the Opinion states that an AI model’s anonymity needs to be assessed on a case-by-case basis, since the EDPB considers that AI models trained with personal data cannot, in all cases, be considered anonymous. For an AI model to be considered as anonymous, both the likelihood of direct (including probabilistic) extraction of personal data regarding individuals whose personal data were used to develop the model and the likelihood of obtaining, intentionally or not, such personal data from queries, should be insignificant. This assessment should consider “all the means reasonably likely to be used” by the controller or another person.
For legitimate interest, the Opinion outlines the three-step test: identifying a lawful, real, and specific legitimate interest; assessing the necessity of the processing; and conducting a balancing test to ensure the interest doesn’t override data subjects’ rights. This assessment should consider factors like the context of data collection, subjects’ reasonable expectations, and potential impacts. Controllers should consider implementing mitigating measures to minimize risks, especially during development and deployment.
The Opinion explains that Supervisory Authorities (SAs) have discretionary powers to evaluate potential infringements and possible consequences for unlawful processing. It also outlines three possible scenarios of such infringements.
