By Leonardo Neri
One of the most popular panels at AI Governance Global 2023 was: “Can Generative AI Survive the GDPR?”.
The discussion with academic panelists, regulators (EDPS – European Data Protection Authority, among others) and industry, raised more questions than answers, in fact no one knew how to clarify how to reconcile the challenges of generative artificial intelligence and the rules of privacy and data protection.
Just to clarify, when we talk about generative AI, we understand artificial intelligence that creates on top of existing content, that is, that starts to think on top of the information presented to it.
In this sense, the panel produced an interesting discussion. We highlight in this brief article the points that we consider most important.
One observation was unanimous: it is still not clear how to converge data protection rules (in this case GDPR) and the challenges of generative artificial intelligence.
They at least recognized that a balance between data protection and technological innovation is needed to create a flexible regulatory environment for the development and application of AI.
Between GDPR and generative artificial intelligence the following questions have been raised:
- Legal hypotheses regarding the processing of information collected during the creation of educational materials. They understand that legitimate interest is the most important legal basis in this case;
- Transparency not only in the formation of the use of personal data, but also in the characteristics and functions of artificial intelligence systems;
- Data minimization due to uncertainty (and operational problems) in determining the retention time of the data used;
- Rights of data subjects (especially with regard to updating/correcting information and forgetting). To date, no solution has been found that would allow these rights to be exercised quickly and easily.
Recommendations?
Be careful in your risk analysis and balancing test and make sure the benefits outweigh the privacy risks.
Finally, the need for collaboration between industry, civil society and regulators was emphasized to develop good practices and take into account the complexity of AI in the protection of personal data.