Myth-busting time! This week, the EDPB published its Opinion on AI models & personal data, and then the Italian authority revealed it had fined OpenAI. But unlike what some are suggesting, the Italian decision *predates* the EDPB Opinion by a month. So let’s dispel a few myths surrounding that Opinion:
– “Game changer”? The positions set out aren’t groundbreaking. On the two big topics (“is there processing of personal data [PD]?” and “can legitimate interest [LI] be used as a legal ground?”), the EDPB effectively says “up to the national authority”.
– “It outlaws LLMs”?
The answer to both topics raises concerns, yes.
On PD: it assumes that there is processing of PD by conflating user input (the type of “What is Donald Trump’s birthday?” scenario) with the actual generation of information in response to a query. Just because something is PD from the perspective of the user doesn’t make it so from the respondent’s perspective. It’s a missed opportunity for the EDPB to examine synthetic data & the limits of controllership, plus the impact of pseudonymisation for someone further down the line.
Its position re anonymisation seems nearly impossible to satisfy, which begs the question: why take an unrealistic position that goes further than the requirements of the GDPR and the notion of PD based on Recital 26 GDPR + the Breyer judgment?
It has broader implications. If theoretical attacks are now the standard to consider whether information has been transformed from PD (from whose perspective?) into anonymous data, the Breyer judgment made clear only lawful means of (re)identification matter. Is the EDPB’s stance in line with that, and is anonymisation ever good enough for the EDPB? (also important re Art. 32 GDPR)
On LI: it suggests that any time web scraping is involved, the “necessity” part of the test will fail, because of concerns that there might be alternative ways of achieving the result. This echoes the outrageous position adopted by the EDPB in its “biometrics in airports” Opinion, in which it said in effect that where two options are offered, the very offering of the less intrusive option makes the more intrusive one disproportionate and in breach of Art. 25 GDPR. [Don�t believe me? See para. 76 of that Opinion 11/2024.] It is a very �ivory tower� view of how necessity works in practice (it’s a bad precedent too).
Combine that with the mitigation measures the EDPB suggests, notably re data subject rights,
(DSRs) and you have a mix that looks nice on paper but is in my view unworkable (technically unfeasible approaches re DSRs), unhelpful (all up to national DPAs) and even disconcerting for the future of data protection compliance (see points re anonymisation + necessity).
LLMs *can* be lawful, more often than the EDPB suggests. I believe the EDPB’s approach is questionable, and will be working on a more in-depth critique. Some of my clients may already be considering challenging it, and I have a few ideas as to how to best do that.
Did this analysis get you thinking? Reach out!
DataLaws.net is entirely open-access, and instead of getting your data in exchange for this content, how about another trade? If this commentary saved you research time or sparked an idea, feel free to invite me over for tea, chai or a hot chocolate next time you are around Brussels or Antwerp - or invite me over to your offices for a chat!
Get in touch ↗ Let's connect on LinkedIn ↗