AI Compliance by Design - Initial Stage: Strategic Planning under GDPR - Episode 1
The European Data Protection Board (EDPB) issued a nonbinding opinion in December 2024 on the processing of personal data in the context of AI models, aiming to balance AI innovation with fundamental data protection rights under the General Data Protection Regulation (GDPR).
According to the EDPB, AI models trained on personal data typically fall under the GDPR protections because such models can memorize or reproduce personal data, thus constituting personal data processing. For AI models to be considered anonymous under GDPR, the EDPB states that the likelihood that individuals whose data was used for the model training can be identified directly or indirectly must be insignificant.
The assessment of this likelihood must consider all means reasonably likely to be used to identify individuals, in line with GDPR Recital 26. The EDPB's Guidance on Anonymization is also considered when examining AI model anonymity.
In practical terms, the EDPB’s opinion on AI models includes evaluating factors such as steps taken during AI design to minimize or avoid collecting personal data or to reduce identifiability, testing the AI model’s resistance to attacks aimed at re-identification, and detailed documentation of processing operations, including how anonymization is implemented.
The EDPB emphasizes that the assessment is case-specific and must objectively consider evolving means of identification. Pending judgments at the Court of Justice of the EU may further influence this analysis.
The most relevant legal bases for AI under the GDPR are consent and legitimate interests. Consent for AI processing must be individual, specific, informed, unambiguous, and provided by a clear affirmative action. Legitimate interests may be relied on provided the following three-step test is satisfied: the processing pursues a legitimate interest, is necessary to pursue the legitimate interest, and does not overridden the interests or fundamental rights and freedoms of the individuals concerned.
The AI development life cycle encompasses four distinct phases: planning, design, development, and deployment. Conducting a Data Protection Impact Assessment (DPIA) can be prudent for best practices in AI projects, as it allows organizations to preemptively address potential data protection risks, assess the impact of their solutions, and demonstrate accountability.
The EDPB's opinion recognizes that AI models trained on personal data usually fall under GDPR protections. Only if an AI model meets strict criteria that render personal data identification negligible can the model be deemed anonymous and thus exempt from GDPR. Data protection principles and compliance steps (such as data minimization, security, and transparency) should govern AI development and deployment phases distinctly, with valid legal bases (e.g., consent, legitimate interests) required for lawful processing.
Following the EDPB opinion, the French data protection authority CNIL recommends measures such as implementing robust filters around AI models to prevent personal data leakage and stresses the importance of secure development and proper annotation of training data to comply with GDPR.
| Aspect | EDPB Position | |------------------------------------------------|--------------------------------------------------------------------------------------------------| | GDPR Applicability to AI Models | Applies if model is trained on or memorizes personal data | | Conditions for AI Model to be Considered Anonymous | Very low risk of re-identification, assessed comprehensively considering all means of ID | | Key Factors for Anonymity Assessment | Data minimization, resistance to attacks, documentation of anonymization processes | | Legal Basis for Processing Personal Data in AI | Consent, legitimate interest, with phase-specific evaluation | | Practical Recommendations | Use of robust filters, secure development, careful annotation, transparency and accountability |
This reflects the current EDPB stance as of late 2024 and mid-2025, with pending cases before the Court of Justice of the EU potentially affecting the EDPB's analysis. The balancing test in determining legitimate interests must identify and describe the different opposing rights and interests at stake, including individuals' interests in retaining control over their personal data, financial interests, personal benefits, socioeconomic interests, and the AI developer's fundamental right to conduct business.
In light of the EDPB's opinion, ensuring regulatory compliance for AI models in data-and-cloud-computing must consider the applicability of GDPR to AI models, the conditions for an AI model to be considered anonymous, and the key factors for anonymity assessment. To achieve this, data protection principles, such as data minimization, security, and transparency, should be integrated into AI development and deployment phases. Valid legal bases, such as consent and legitimate interests, are required for lawful processing, with the balancing test for legitimate interests identifying and describing the different opposing rights and interests at stake. Practical recommendations include implementing robust filters, ensuring secure development, and providing careful annotation of training data to comply with GDPR.
