AI and GDPR: Establishing a Lawful Basis to Process Personal Data with Artificial Intelligence

Estimated Reading Time: 6 minutes
July 12, 2023
AI and GDPR: Establishing a Lawful Basis to Process Personal Data with Artificial Intelligence

Thus far in 2023, Artificial Intelligence has been the talk of the town. With a proliferation of new platforms touting to revolutionize various industries with their AI capabilities to current tools embedding the technology into new and existing features, everything seems to be riding the wave. But with great power comes great responsibility! 

One such responsibility for organizations and the technologies they use is to respect the privacy rights of consumers. In the area of AI this is no different. While governments across the globe are working on new legislation and issuing guidance for how current regulations apply to AI, it’s important to also look at what is in place today and ensure requirements as outlined are being followed. We’ve seen a number of challenges already in the EU for AI running afoul of GDPR. In March we saw Italy briefly ban ChatGPT until a number of privacy requirements were met while in June, Google was forced to delay the release of their Bard chatbot until they could assure European regulators that their privacy controls were properly in place. 

One of the central concerns with AI and compliance with GDPR is having a proper lawful basis for the processing of personal data used to train things like Large Language Models (LLMs) and personal data input for automated decision making. For many use cases, the lawful basis for processing of personal data will rely upon either consent or legitimate interests. So what should your organization keep in mind before leveraging these technologies with European users’ data? Let’s take a look.

GDPR and Processing Personal Data

It is helpful to first take a step back and refresh on the lawful bases available for the processing of personal data and the requirements for the most common ones used in marketing and advertising use cases. GDPR defines six lawful bases for processing personal data:

  1. Consent – the individual has given clear consent for you to process their personal data for a specific purpose.
  2. Contract – processing is necessary for a contract with the individual.
  3. Legal obligation – the processing is necessary for you to comply with the law.
  4. Vital interests – the processing is necessary to protect someone’s life.
  5. Public task – the processing is necessary for you to perform a task in the public interest and the task has a clear basis in law.
  6. Legitimate interests – the processing is necessary for your legitimate interest or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

For the processing of personal data in the context of most marketing and advertising use cases, most organizations will rely on either consent or legitimate interests. 

Consent, as defined in GDPR is “any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. The indication must be unambiguous and provide a clear affirmative action. 

Legitimate interest, on the other hand, places the onus on the controller responsible for the processing. The controller must show that use of personal data is proportionate, has minimal privacy impact, and people would not be surprised or likely to object. There are three elements that must be defensible in order for the legitimate interest to be valid:

  1. Purpose test – used to identify a legitimate interest; essentially an identification of the specific purpose of the processing activity.
  2. Necessity test – an evaluation that the processing is necessary to achieve the stated purpose.
  3. Balance test – an evaluation to balance the stated business interest against the subject’s interest, rights, and freedoms; is the outcome for the consumer a net benefit when compared against the potential risks to their privacy rights resulting from the processing activity?

It is important to note that the lawful basis selected must be determined before processing, the processing activity must be “necessary” (as evidenced through the use of a necessity test), and a Privacy Notice must specify the lawful basis used for the defined processing use case.

The challenges for new AI technologies begin to arise due to this last point. In the case of LLMs such as ChatGPT, the models are trained with large volumes of data scraped from the internet, with some of this data being personal data of consumers. In this case, no prior notification is made to the user that their data will be used for such a purpose (model training) and no lawful basis is defined and communicated prior to processing. Further, as evidenced in the case of the delayed Google Bard launch, necessary tests and evaluations are not being completed to ensure privacy rights are being properly balanced against the interests of the businesses doing the processing. 

These are general concerns in the case of LLMs and broader AI technologies, but what about using AI features and tools within your organization? In this case, it’s important to keep the outlined requirements in mind: 

  1. Establish a lawful basis for processing your consumers’ personal data prior to any collection for the purpose of the stated use case.
  2. Be transparent! Properly disclose the fact that you will be processing the consumer’s personal data, what it means for them, and the lawful basis being used. 
  3. In the case of consent, obtain lawful consent prior to any processing of personal data for the stated use case. 
  4. In the case of legitimate interest, do the necessary tests to ensure the business interest and outcomes for the consumer are properly weighed against the privacy risks.

While this is just the start, it is a good general principled place to begin from in considering the usage of AI for any marketing and advertising use case. Always involve your privacy and legal teams early in the design process for any new strategies and initiatives that are likely to involve personal data to ensure full GDPR requirements are met and proper protections are in place. While AI is a shiny new toy to play with, remember the fundamentals and always respect the privacy rights of your consumers.

Just getting started with your privacy journey?

Contact us today to chat about your privacy program and ensure the policies and processes are in place for all marketing and advertising data.

Author

  • Lucas Long is co-author of the Amazon best-selling book, Crawl, Walk, Run: Becoming a Privacy-Centric Marketing Organization. He is also the Director of Privacy Strategy at InfoTrust, working with global organizations at the intersection of digital strategy, privacy regulations, and technical data collection architecture. Through these efforts, Lucas helps companies understand their limitations for data enablement due to privacy challenges and design optimal ways to accomplish core use cases in a compliant manner.

    When not discussing the intricacies of GDPR and cookie laws with clients, Lucas enjoys traveling and exploring new cultures, one bite at a time. Based in Barcelona, he is also a presenter, featured at industry events organized by Google, the Digital Analytics Association, the American Marketing Association, and the Journal of Applied Marketing Analytics.

    View all posts
Last Updated: July 12, 2023

Get Your Assessment

Thank you! We will be in touch with your results soon.
{{ field.placeholder }}
{{ option.name }}

Talk To Us

Talk To Us

Receive Book Updates

Fill out this form to receive email announcements about Crawl, Walk, Run: Advancing Analytics Maturity with Google Marketing Platform. This includes pre-sale dates, official publishing dates, and more.

Search InfoTrust

Leave Us A Review

Leave a review and let us know how we’re doing. Only actual clients, please.

  • This field is for validation purposes and should be left unchanged.