With ChatGPT at the latest, the triumph of various tools equipped with artificial intelligence (AI) has reached the general public. Generative AI refers to a type of AI technology that can generate new content such as text, images or audio based on patterns and examples from existing data. Due to their ability to create realistic, especially convincing human-like content, such tools have gained considerable popularity in a very short time.

Although there is currently no comprehensive AI law (see below for more information), the development and use of generative AI does not only involve technical aspects. There are also legal issues, especially from a privacy perspective, which - let's be clear about this - have not all been conclusively clarified yet.

One of these questions is how individuals are to be informed transparently when their data is used in the context of such AI tools. Here, in addition to the specific content of the information, the "whether" as well as the "how" and "where" these obligations are met, is also crucial.

Information requirements according to the General Data Protection Regulation (GDPR)

Transparency is a decisive criterion not only for avoiding potential sanctions by supervisory authorities, but also in particular for the acceptance of new technologies by the public. From a data protection perspective, this transparency is to be achieved above all by adhering to the information obligations of Art. 12 et seq. GDPR. These are intended to ensure that data subjects can effectively exercise the rights granted to them by the GDPR, e.g. to information or deletion. The information obligation applies both to the direct collection of data from the data subject (Art. 13 GDPR) and in the event that the controller receives personal data from another source (Art. 14 GDPR).

Controllers are therefore obliged to inform data subjects about the processing of their personal data and in particular about the purposes of the processing, the categories of data processed, the storage period, any data recipients or their data protection rights. The information must always be provided "in a concise, transparent, intelligible and easily accessible form, using clear and plain language".

Practical challenges in the use of generative AI

For the users of AI tools, the above points and especially the "how" of the information are still relatively easy to cope with – for example, via a detailed presentation in the form of a privacy policy on the controller's website. However, if personal data is processed for the purpose of "training" the AI, things quickly become complicated. This is because transparency is at least not inherent in AI systems. By their very nature, they are designed to process data independently and in a way that is often difficult to understand from the outside ("black box"). However, this makes it particularly difficult to present the complexity of the analytical processes used in such a transparent way that their scope can be assessed by the affected individuals.

It can also become particularly complex if the generative AI is to use data of data subjects for automated decision-making or profiling within the meaning of Art. 22 GDPR. In this case, the tool operator is explicitly obliged to provide "meaningful information about the logic involved [in the generative AI] as well as the significance and the envisaged consequences of such processing for the data subject". We will address this topic in more depth in a later blog post.

Regulating generative AI

An AI regulation is currently being negotiated at EU level, which could already be adopted this year. The regulation follows a risk-based approach and is intended to ensure uniform regulation of artificial intelligence in Europe. The current draft divides principally differentiates AI systems according to the risk associated with them. Depending on the risk, controllers are subject to correspondingly strict or less strict requirements. It has not yet been conclusively clarified in which category generative AI such as ChatGPT falls. Here, we must further monitor the development. In any case, comprehensive transparency obligations are also a core component of the current draft.

A large number of European supervisory authorities are also devoting increasing attention to the topic of generative AI. The European Data Protection Board (EDPB) as well as the German Data Protection Conference (Datenschutzkonferenz (DSK), consisting of the independent data protection authorities of the Federal Government and the Federal States) have each set up an "AI Task Force" and a "ChatGPT Task Force" respectively. The German DSK, for example, has also already published a position paper on recommended measures for the development and operation of AI systems in 2019 (link in German).

The injunction issued by the Italian data protection authority (Garante) against OpenAI, the provider of ChatGPT, also attracted particular attention recently. After a brief ban on the AI, this was lifted again after OpenAI implemented several additional measures ordered by the Garante, such as a revised privacy policy.

Conclusion

With regard to the information obligations, companies should in particular consider the following aspects when using generative AI:

  • Comprehensive documentation: Controllers should document in detail, in particular, the purposes and functionality of their generative AI systems as well as the origin of the raw or training data. Comprehensive documentation on the algorithms and data sources used is crucial for compliance with data protection requirements.
  • Clear and early communication: Data subjects should be informed in a clear and comprehensible manner about the use of their data in the context of generative AI and the associated data protection implications as soon as their data is collected. Complex technical details should be translated into easily understandable language.
  • Data protection by design: Data protection aspects should already observed during the development of generative AI and any associated systems. Data protection should be considered an integral part of the design and implementation of AI systems. This also applies the requirements of Art. 25 GDPR and facilitates subsequent compliance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.