Under the GDPR, controllers are required to provide individuals with information relating to what personal information is processed, and how that processing takes place.[1] Some supervisory authorities have specifically taken the position that companies which use personal information to train an artificial intelligence (AI) must draft and publish a privacy notice that provides “data subjects whose data have been collected and processed for the purposes of training algorithms . . . with information on how the processing is carried out, the logic underlying the processing . . . , [and] the rights to which they are entitled.”[2]
The following summarizes the type of information that should be included in a privacy notice (left column) and the impact that using personal information for training an AI would have on each requirement (right column):
Summary of Information Required to be Included in Privacy Notice Pursuant to GDPR Articles 13 and 14 | Implications if Personal Information is Included in AI Training Data |
---|---|
1. Contact Info. Identity and contact information of the controller and “of the controllers’ representative.” | No training data specific implication. |
2. Data Protection Officer. If the controller has a data protection officer, their name and contact information. | No training data specific implication. |
3. Description of purpose. The purposes of the processing (and the legal basis for those purposes). If one of those purposes is the “legitimate interest” of the controller, that legitimate interest should be described. | The GDPR permits controllers to process personal information as training data if one (or more) of six lawful processing purposes applies. The privacy notice should indicate which of the lawful purpose(s) is being relied upon by the controller. |
4. Description of recipients. Categories of people that will receive data. | If the training data is being transmitted to a separate controller (i.e., an AI provider that considers itself a controller), a description of that controller should be included in the privacy notice. If the training data is being transmitted to a processor (i.e., an AI provider that considers itself a processor), it may be sufficient to reference the fact that personal information is being shared with service providers. |
5. Cross border transfers. If the data is going to leave the European Economic Area that must be disclosed, as well as the “appropriate or suitable safeguards and the means by which to obtain a copy of them” for effecting such transfer. | If an AI is hosted outside of the EEA, and information collected from, or about, individuals in Europe will be included in the training data, the privacy notice should disclose the countries to which the information is being sent and the transfer mechanisms utilized (e.g., Standard Contractual Clauses). |
6. Description of data retention period. The period for which the data will be stored, or the criteria used to determine when it will be deleted. | The GDPR requires that companies minimize the amount of time that data is retained. If personal information is utilized as part of training data, a controller should consider providing individuals with an indication as to how long such information will be retained and utilized for that purpose. |
7. Access Rights. Information concerning the right to request access to the information. | Individuals may have a right to access personal information about themselves that is included in training data. The privacy notice should disclose that right and discuss how individuals can submit such requests. |
8. Rectification Rights. Information concerning how to ask that inaccuracies be fixed. | Individuals may have a right to correct personal information about themselves that is included in training data. The privacy notice should disclose that right and discuss how individuals can submit such requests. |
9. Erasure Rights. Information concerning how to ask that the data be deleted. | Individuals may have a right to delete personal information about themselves that is included in training data. The privacy notice should disclose that right and discuss how individuals can submit such requests. |
10. Opt-out Rights. If there is a right to opt out of a certain use, object to a certain use, or withdraw consent, a description of how such opt-out/objection/withdrawal can be submitted. | If the inclusion of personal information in training data relies upon the “legitimate interest” of the controller or the consent of the data subject, the privacy notice should disclose that the individual has a right to object to the continued processing based upon legitimate interest or withdraw their consent to processing based upon consent. The privacy notice should disclose those rights and discuss how individuals can object or withdraw consent. |
11. Complaints. A statement that the individual has a right to lodge a complaint with a supervisory authority. | No training data specific implication. |
12. Automated decision-making. A disclosure if automated decision making will occur. | While there are no training data specific implications, note that if the AI will ultimately be used to create output data that will play a role in automated decision-making, individuals may need to be informed of that fact and might need to be provided with the ability to opt out of such automated processing. |
[1] EDPB-EDPS Joint Opinion 5/2021 on the proposal for a Regulation of the European Parliament and of the Council laying down harmonized rules on artificial intelligence (Artificial Intelligence Act) at para. 60 (June 18, 2021) (stating that data subjects should be informed when their data is used for AI training).
[2] Garante Per La Protezione Dei Dati Personali, Provision of April 11, 2023[9874702] (English translation).