The generation game: New EU guidelines published on generative AI and data protection

On 3 June, the European Data Protection Supervisor (EDPS) published guidelines on navigating the relationship between generative AI (GenAI) and data protection. While the EDPS’s guidelines are directed at EU institutions rather than businesses, they contain some accessible and practical guidance on data protection issues that are likely to be relevant to all organisations implementing GenAI solutions or considering doing so. They include, for example, a clear one-page description of GenAI and a list of key resources on data protection and AI from EU regulators and others. 

The guidelines are framed by the EDPS as “initial orientations” in advance of more comprehensive guidance. Some of the key takeaways include: 

Questions to ask providers of GenAI systems

• Areas that an organisation should focus on in relation to engaging third party providers of GenAI systems include challenging providers who suggest that their system does not process personal data. The guidance suggests it is “crucial” that the organisation asks about the specific controls (such as the use of anonymised data sets) that the provider has in place to support such a claim.
• The guidelines also suggest that organisations using a bought-in GenAI system need to drill down into the procedures providers use to ensure data accuracy. For example, organisations are advised to obtain documentation giving detail on the approach taken to data collection and preparation, and contractual assurances on the accuracy of the data used for the system development. The information should allow organisations deploying the system to carry out their own accuracy checks in light of the risk of hallucinations If accuracy cannot be maintained, the organisation should “consider” its use of the system. 

The role of the DPO

• Where GenAI systems process personal data, the DPO must advise on how data protection rules apply. This requires the DPO to have “a proper understanding” of the particular life cycle of the GenAI model and how it works, including inputs/outputs and the model’s decision-making processes. The EDPS is also clear that the DPO needs to have sufficient knowledge to be able to advise controllers on their DPIAs. 
• The guidelines emphasise that the implementation of GenAI in compliance with data protection obligations is not a “one-person” effort but requires collaboration and “continuous dialogue” between the DPO, legal, IT and data security teams. 

Keeping a “vigilant approach” to risk  

• The ICO has previously confirmed the importance of organisations carrying out DPIAs before implementing GenAI systems (including in its eight questions for GenAI developers in April last year and in its recently concluded investigation into Snap – a further blog from us is to follow). The EDPS guidance echoes this and makes the point that DPIAs should cover the entire GenAI life cycle and document actions taken to manage the risks identified (which may include consulting data subjects). It also emphasises the need for DPIAs to be regularly and systematically reviewed, as data protection risks could evolve and emerge as the GenAI system is used. 
• The EDPS underlines the importance of maintaining clear and complete records of all processing activities undertaken as part of the functioning of the GenAI system, suggesting that organisations update their record of processing activities (ROPA) and even, as best practice, create a specific GenAI inventory. 

In its press release accompanying the guidelines, the EDPS notes that the answers to some questions are still evolving and further questions may arise as the technology develops and becomes more prevalent. It is also worth noting that these guidelines are issued by the EDPS in the context of its role as a data protection authority, rather than as the AI supervisor of EU institutions under the EU AI Act (in relation to which it is planning to issue separate guidance). As such, we expect the EDPS’s GenAI guidance to be refined and expanded upon in the coming months, with implications for organisations implementing GenAI solutions in the EU and beyond.

Many thanks to Roshni Ranasinghe-de Silva for her research assistance in preparing this post.