HB Ad Slot
HB Mobile Ad Slot
Under the GDPR, What Information Should an Organization that Transmits Personal Data in AI Prompts Put in Its Privacy Notice?
Tuesday, September 19, 2023

Under the GDPR, controllers are required to provide individuals with information relating to what personal data is processed, and how that processing takes place. Some supervisory authorities have specifically taken the position that organizations which use personal data to train an artificial intelligence (AI) must draft and publish a privacy notice that provides “data subjects whose data have been collected and processed for the purposes of training algorithms . . . with information on how the processing is carried out, the logic underlying the processing . . . , [and] the rights to which they are entitled.”[1] While using personal data to train an AI may need to be discussed within a privacy notice, most supervisory authorities have not taken a formal position as to whether the inclusion of personal data in prompts that are intended to pose questions to an AI would specifically need to be disclosed within a privacy notice.[2] That said, the overall purpose of the processing (i.e., what the prompt relates to) might itself need to be disclosed.

For example, if an employee at an organization used personal data to a customer complaint, that use should be disclosed in the privacy notice as well as the lawful basis that permitted the use. Such a disclosure might read something like: “We have a legitimate interest in using personal data that we receive in complaints to respond to our customers”. If the same organization were to leverage AI to create a draft of a response to a customer complaint, and in the process share with the AI some amount of personal data in the form of a prompt (e.g., the original complaint received from a data subject), it is not clear whether a supervisory authority would consider the above privacy notice disclosure sufficient, or if the organization should specifically disclose that when drafting a response to customer complaints the organization supplies the customer’s information to an AI in the form of a prompt.


[1] Garante Per La Protezione Dei Dati Personali, Provision of April 11, 2023[9874702] (English translation).

[2] It should be noted, however, that if the personal information contained within prompts is repurposed by the AI for further training that fact may need to be separately disclosed.

HTML Embed Code
HB Ad Slot
HB Ad Slot
HB Mobile Ad Slot
HB Ad Slot
HB Mobile Ad Slot
 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins