Under the GDPR, controllers are required to provide individuals with information relating to what personal data is processed, and how that processing takes place. Some supervisory authorities have specifically taken the position that organizations which use personal data to train an artificial intelligence (AI) must draft and publish a privacy notice that provides “data subjects whose data have been collected and processed for the purposes of training algorithms . . . with information on how the processing is carried out, the logic underlying the processing . . . , [and] the rights to which they are entitled.”[1] While using personal data to train an AI may need to be discussed within a privacy notice, most supervisory authorities have not taken a formal position as to whether the inclusion of personal data in prompts that are intended to pose questions to an AI would specifically need to be disclosed within a privacy notice.[2] That said, the overall purpose of the processing (i.e., what the prompt relates to) might itself need to be disclosed.
For example, if an employee at an organization used personal data to a customer complaint, that use should be disclosed in the privacy notice as well as the lawful basis that permitted the use. Such a disclosure might read something like: “We have a legitimate interest in using personal data that we receive in complaints to respond to our customers”. If the same organization were to leverage AI to create a draft of a response to a customer complaint, and in the process share with the AI some amount of personal data in the form of a prompt (e.g., the original complaint received from a data subject), it is not clear whether a supervisory authority would consider the above privacy notice disclosure sufficient, or if the organization should specifically disclose that when drafting a response to customer complaints the organization supplies the customer’s information to an AI in the form of a prompt.
[1] Garante Per La Protezione Dei Dati Personali, Provision of April 11, 2023[9874702] (English translation).
[2] It should be noted, however, that if the personal information contained within prompts is repurposed by the AI for further training that fact may need to be separately disclosed.