The use of artificial intelligence (AI) in various sectors and applications is rapidly increasing, offering new opportunities and challenges for organisations. However, AI also poses risks to the privacy and data protection of individuals, especially when it involves the processing of personal data. In this blog post, we will discuss the importance of transparent information and assessing the right legal basis for processing personal data of the data subjects when using AI solutions in an organisation.
Processing personal data without the valid information and consent of the respective data subjects can expose an organisation to legal risks and reputational damages. Recent court cases illustrate this point.
The GDPR requires data controllers, i.e. the organisations that determine the purposes and means of the processing of personal data, to provide clear and concise information to data subjects, i.e. the individuals whose personal data are processed, about the purposes and legal bases of the processing as well as their rights and choices. This is essential to ensure that data subjects are informed and empowered to exercise their rights, such as the right to access, rectify, erase or object to the processing of their personal data or the right to data portability.
The GDPR provides six possible legal bases, which are: consent, performance of a contract, legal obligation, vital interest, public interest and legitimate interest. Among these legal bases, consent is often considered the most appropriate and respectful way to process personal data, as it implies that the data subjects have voluntarily, specifically and informedly agreed to the processing of their data for a clear and defined purpose. However, consent is not always easy to obtain or to prove, and it can be withdrawn at any time by the data subjects. Besides that, the following aspects need to be considered when using consent as a legal basis for AI use cases:
Therefore, it is important to assess carefully whether consent is the most suitable legal basis for the data processing activity, or whether another legal basis could apply. For example, if there exists a contractual relationship with the data subjects, and the data processing is necessary to fulfil the contract, one could rely on the performance of a contract as a legal basis. Or, if there is a legitimate interest in processing the data that does not override the rights and interests of the data subjects, one could rely on the legitimate interest as a legal basis. However, in the case of a legitimate interest, a case-by-case analysis is necessary to determine whether the use of personal data for this purpose does not disproportionately infringe on the privacy of the data subjects.
Regardless of the legal basis and the category of data, the data controller is required to provide transparent information to the data subjects about the processing of their data. This includes the identity and contact details of the controller, the purpose and legal basis of the processing, the recipients and transfers of the data, the retention period of the data and the rights of the data subjects to access, rectify, erase, restrict, object or port their data. Many privacy notices still do not sufficiently cover this information for the AI use cases.
The use of AI in many organisations has increased significantly. Irrespective of the potential applicability of the EU AI Act, the general data processing principles of the GDPR need to be considered. As a next step, companies should especially pay attention to the following aspects:
A company complies with the GDPR by providing transparent information and assessing the right legal basis for processing personal data, while at the same time it builds trust with clients, partners and other stakeholders.
Have you already assessed if adjustments are required to your privacy management programme to address AI use cases, and which ones? Our experts are happy to support you.