The EU’s General Data Protection Regulation (GDPR) applies to two types of entities – “controllers” and “processors.”
A “controller” refers to an entity that “determines the purposes and means” of how personal information will be processed.[1] Determining the “means” of processing refers to deciding “how” information will be processed.[2] That does not necessitate, however, that a controller makes every decision with respect to information processing. The European Data Protection Board (EDPB) distinguishes between “essential means” and “non-essential means.[3] “Essential means” refers to those processing decisions that are closely linked to the purpose and the scope of processing and, therefore, are considered “traditionally and inherently reserved to the controller.”[4] “Non-essential means” refers to more practical aspects of implementing a processing activity that may be left to third parties – such as processors.[5]
A “processor” refers to a company (or a person such as an independent contractor) that “processes personal data on behalf of [a] controller.”[6]
Data typically is needed to train and fine-tune modern artificial intelligence models. They use data – including personal information – in order to recognize patterns and predict results.
Whether an organization that utilizes personal information to train an artificial intelligence engine is a controller or a processor depends on the degree to which the organization determines the purpose for which the data will be used and the essential means of processing. The following chart discusses these variables in the context of training AI:
The following chart discusses these variables in the context of training AI:
Function |
Activities Indicative of a Controller |
Activities Indicative of a Processor |
Purpose of processing |
||
Why the AI is being trained. |
If an organization makes its own decision to utilize personal information to train an AI, then the organization will likely be considered a “controller.” |
If an organization is using personal information provided by a third party to train an AI, and is doing so at the direction of the third party, then the organization may be considered a processor. |
Essential means |
||
Data types used in training. |
If an organization selects which data fields will be used to train an AI, the organization will likely be considered a “controller.” |
If an organization is instructed by a third party to utilize particular data types to train an AI, the organization may be a processor. |
Duration personal information is held within the training engine |
If an organization determines how long the AI can retain training data, it will likely be considered a “controller.” |
If an organization is instructed by a third party to use data to train an AI, and does not control how long the AI may access the training data, the organization may be a processor. |
Recipients of the personal information |
If an organization determines which third parties may access the training data that is provided to the AI, that organization will likely be considered a “controller.” |
If an organization is instructed by a third party to use data to train an AI, but does not control who will be able to access the AI (and the training data to which the AI has access), the organization may be a processor. |
Individuals whose information is included |
If an organization is selecting whose personal information will be used as part of training an AI, the organization will likely be considered a “controller.” |
If an organization is being instructed by a third party to utilize particular individuals’ data to train an AI, the organization may be a processor. |
[1] GDPR, Article 4(7).
[1] GDPR, Article 4(7).
[2] EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 33.
[3] EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.
[4] EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.
[5] EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.
[6] GDPR, Article 4(8).