The European Data Protection Board (‘EDBP’) has published its 2024 annual report highlighting key milestones achieved throughout the year. Among these, the report includes reference to an opinion issued by the EDPB in December 2024 (the ‘Opinion’) which examines the use of personal data in AI models and the applicability of GDPR principles during the development and deployment of these models. Specifically, the Opinion explores the:

  • Processing of personal data in AI models and when this processing can be considered anonymous;
  • Instances that legitimate interest can be used as a legal basis for developing or using AI models; and
  • Consequences of developing an AI model that unlawfully processes personal data.

Guidance from the Opinion, in the form of FAQs, is outlined below.

(1) When can personal data in an AI model be considered anonymous?

For data in an AI model to be considered anonymous, it must be highly unlikely that anyone can identify the personal data of individuals who developed the model (either directly or indirectly). Furthermore, personal data should not be retrievable in the AI model through the use of queries.

(2) How can I ensure the anonymity of personal data in an AI model?

To demonstrate the anonymity of personal data in an AI model, a controller should use the following methods:

  • Use anonymization techniques to prevent the singling out, linking or inferring of details about individuals from the dataset.
  • Review all reasonable ways a controller or third party may identify individuals from the data set, including through:
    • The training data’s characteristics;
    • The context through which the AI model is released; and
    • The cost and time implications involved in re-identifying the data.
  • Determine if a third party or controller could ‘reasonably’ obtain access to the data and the risks involved with retrieving the personal information. 

(3) What legal basis may be appropriate for processing personal data in an AI model?

Legitimate interest can be an appropriate lawful basis for processing personal data when developing and deploying AI models, provided the controller:

  • Identifies the legitimate interest that is being pursued through the processing of the personal data;
  • Analyses the necessity of processing the personal data as part of the identified legitimate interest; and
  • Determines, as part of its analysis, that the data subject’s interests or fundamental rights do not override the legitimate interest.

(4) What impact does unlawful processing during the development of AI models have on subsequent processing activity?

The Opinion details the impact that unlawful processing may have on subsequent processing by distinguishing between three scenarios:

  • Same controller, continued use: a case-by-case analysis should be completed on the consequences of the initial unlawful use of data if the same controller then proposes to use the data for subsequent processing activities.
  • Different controller, continued use: if a different controller proposes to use data for processing activities, an analysis should be completed on whether the second controller completed an appropriate and GDPR-compliant assessment to determine whether the AI model was not initially developed by unlawfully processed personal data.
  • Anonymisation before deployment: if personal data is used unlawfully during the development of the AI model but later anonymised by the controller prior to the deployment of the AI model, the GDPR would not apply to the subsequent processing of personal data. This means, the unlawfulness of the initial processing will not impact the subsequent processing activity.