Can AI be GDPR compliant? What you should pay attention to.
At the beginning of February, the AI chatbot Replika was ordered by the Italian data protection authority Garante to stop processing citizens’ personal data. The purpose of the AI software was to be a virtual ‘friend’ for social interactions that did not require age verification. The DPA found that the AI bot had processed children’s personal data without their consent.
As AI technologies develop, especially after the introduction of ChatGPT and Google Bard, more similar cases may arise.
And before you unwittingly find yourself in such a situation, it would be very useful to be aware of the provisions of the GDPR that are relevant to AI:
- Personal data:
AI systems are designed to collect large amounts of data, including personal data, which is then analysed and processed. Under the GDPR, certain requirements must be met. The focus is on transparency, lawfulness and security when processing personal data. AI systems must therefore be developed with these data protection requirements in mind. Users must be informed about what data is being collected and how it will be used. And they must be able to rely on AI systems to ensure the confidentiality, integrity and availability of their personal data.
Under the GDPR, individuals have the right not to have their data used for ‘profiling’. Profiling is an automated process used to predict an individual’s behaviour, attitudes or interests based on data collected from them. Therefore, AI systems should be designed to clearly inform users of how profiling will be used.
Similar to the processing of personal data, the consent aspect of the GDPR requires users to explicitly, knowingly and voluntarily consent to the processing of their personal data. Therefore, AI systems must be designed to obtain such consent and provide users with comprehensive information about the data collected, the sharing of data with third parties, and the ability to revoke consent at any time.
Bottom line: AI developers must ensure that their systems are designed with data protection in mind, and that users are fully informed about the processing of their personal data. Compliance with the GDPR is crucial to building trust in AI systems, and ensuring that they are used in a way that respects citizens’ rights to privacy and data protection.