Data is typically added to an AI to explain a problem, situation, or request (“input data”). Some popular AI models refer to input data by the term “prompt” as the user is prompting the AI to initiate an action, or to create additional information. Prompts can take different forms such as text prompts or image prompts, and they may, or may not, contain personal information. As an example, the prompt “what is Pi to the 15th digit” would contain no personal information whereas the prompt “write a letter to David Zetoony, a data privacy attorney in Colorado,” would contain personal information. If a controller decides to include personal information in a prompt, the controller is engaging in a form of “processing under the GDPR,” which, in turn, requires that the controller base the processing on one (or more) of the following six lawful processing purposes:[1]
- Consent. An organization may include personal information in a prompt if it collects the consent of the individual about whom the data relates. Note, however, that the GDPR has specific requirements for what constitutes sufficient consent to form the basis of processing.
- Necessary to perform a contract. An organization may include personal information in a prompt if doing so is necessary to perform a contract with the person about whom the information relates.
- Necessary to comply with a legal obligation. An organization may include personal information in a prompt if doing so is necessary to comply with a European legal obligation imposed upon the entity.
- Necessary to protect vital interests of a natural person. An organization may include personal information in a prompt if this is necessary to protect the “vital interests” of a person.
- Processing is necessary for the performance of a task carried out in the public interest. An organization may include personal information in a prompt if the processing is necessary to perform a task that is in the “public interest.”
- Processing is necessary for a legitimate interest pursued by a controller or a third party. An organization may include personal information in a prompt if the processing furthers a legitimate interest of the controller so long as the controller’s interest is not “overridden” by the interest or “fundamental rights and freedoms of the data subject which require protection of personal data.”[2]
European supervisory authorities have provided little guidance regarding when each of the above lawful purposes are likely to apply to situations in which personal information is included in a prompt, although most companies consider basing the inclusion of personal information in prompt-submitted data upon either consent or the company’s legitimate interest.
[1] GDPR, Article 4(2) (definition of processing); Article 6(1)(a)-(f) (lawful purposes).
[2] GDPR, Article 6(1)(f).