The use of artificial intelligence (AI) in various sectors and applications is rapidly increasing, offering new opportunities and challenges for organisations. However, AI also poses risks to the privacy and data protection of individuals, especially when it involves the processing of personal data. In this blog post, we will discuss the importance of transparent information and assessing the right legal basis for processing personal data of the data subjects when using AI solutions in an organisation.
Legal background
Processing personal data without the valid information and consent of the respective data subjects can expose an organisation to legal risks and reputational damages. Recent court cases illustrate this point.
The GDPR requires data controllers, i.e. the organisations that determine the purposes and means of the processing of personal data, to provide clear and concise information to data subjects, i.e. the individuals whose personal data are processed, about the purposes and legal bases of the processing as well as their rights and choices. This is essential to ensure that data subjects are informed and empowered to exercise their rights, such as the right to access, rectify, erase or object to the processing of their personal data or the right to data portability.
The GDPR provides six possible legal bases, which are: consent, performance of a contract, legal obligation, vital interest, public interest and legitimate interest. Among these legal bases, consent is often considered the most appropriate and respectful way to process personal data, as it implies that the data subjects have voluntarily, specifically and informedly agreed to the processing of their data for a clear and defined purpose. However, consent is not always easy to obtain or to prove, and it can be withdrawn at any time by the data subjects. Besides that, the following aspects need to be considered when using consent as a legal basis for AI use cases:
- Freedom of consent must be subject to a certain degree of vigilance in the event of an imbalance of power between the data subject and the controller (e.g. the data controller is a public authority or an employer)
- In some cases, it may not be possible to obtain valid consent (e.g. when the data controller collects data that is accessible online or re-uses an open database)
- There may be difficulties linked to the right to withdraw consent, for example due to technical obstacles to the identification of data subjects
Therefore, it is important to assess carefully whether consent is the most suitable legal basis for the data processing activity, or whether another legal basis could apply. For example, if there exists a contractual relationship with the data subjects, and the data processing is necessary to fulfil the contract, one could rely on the performance of a contract as a legal basis. Or, if there is a legitimate interest in processing the data that does not override the rights and interests of the data subjects, one could rely on the legitimate interest as a legal basis. However, in the case of a legitimate interest, a case-by-case analysis is necessary to determine whether the use of personal data for this purpose does not disproportionately infringe on the privacy of the data subjects.
Regardless of the legal basis and the category of data, the data controller is required to provide transparent information to the data subjects about the processing of their data. This includes the identity and contact details of the controller, the purpose and legal basis of the processing, the recipients and transfers of the data, the retention period of the data and the rights of the data subjects to access, rectify, erase, restrict, object or port their data. Many privacy notices still do not sufficiently cover this information for the AI use cases.
Conclusion and next steps
The use of AI in many organisations has increased significantly. Irrespective of the potential applicability of the EU AI Act, the general data processing principles of the GDPR need to be considered. As a next step, companies should especially pay attention to the following aspects:
- Review and update of the Register of Processing Activities (ROPA): Does my AI use case constitute a new processing activity? Is it required to update an already existing processing activity?
- Transfer of data to third parties: Am I transferring personal data to new third parties as part of my AI use case?
- Review and update of privacy notice: Have I transparently informed data subjects about the potential new processing activities related to the AI use cases?
- Legal basis: In the event that the GDPR is applicable to a company, what is the valid legal basis for processing personal data as part of the AI use case?
A company complies with the GDPR by providing transparent information and assessing the right legal basis for processing personal data, while at the same time it builds trust with clients, partners and other stakeholders.
Have you already assessed if adjustments are required to your privacy management programme to address AI use cases, and which ones? Our experts are happy to support you.
