AI data collection use a key question for EU privacy regulators

This article was written by Isabel Gottlieb. It appeared first on the Bloomberg Terminal. 

The tension between generative AI’s voracious appetite for data and the limitations of EU privacy law on information collection is among the most critical issues for policymakers, one of the bloc’s top privacy officials said.

“The biggest challenge is to get to know and to understand for which purposes which data are collected,” and how it will be transferred between entities, said Wojciech Wiewiórowski, the European Data Protection Supervisor.

He pointed to the concepts of purpose limitation and data minimization—which call for data to be collected only for specific purposes, and only when necessary for those purposes—as crucial to evaluating AI’s privacy implications.

Wiewiórowski—who oversees data protection within EU bodies and institutions and advises lawmakers on the privacy implications of EU policy—spoke to Bloomberg Law in a pre-recorded interview that aired Wednesday.

Generative AI’s privacy implications

Generative AI platforms ingest massive amounts of data to train on. It’s not clear how or whether that model will clash with EU privacy law, which sees privacy as a fundamental right and puts boundaries on how personal data is used.

The technology has already seen some scrutiny from privacy regulators in the EU.

ChatGPT was blocked in Italy earlier this year when the country’s data protection authority investigated the platform, though access has since been restored.

Companies developing and using the technology should perform self-assessments on how they are using data, rather than regulators banning many uses of the technology, Wiewiórowski said. European data protection officials do support a ban on AI applied to facial recognition and remote biometric technologies, he added.

“What my client knows about the things that are done with his data, with information about him, is the most important thing. I rather insist on the companies or entities or scientists to ask these questions to themselves, and being able to answer them and record the answers that they gave,” he said.

The EU is negotiating an Artificial Intelligence Act, which prescribes higher scrutiny for higher-risk uses of AI—such as credit scoring for loans, or law enforcement. But the AI Act won’t do much to address privacy concerns, Wiewiórowski said.

In his initial impression, an EU AI Act “does not change anything from the data protection point of view because most of the data protection questions are already answered in GDPR and the other regulation.” But a newer draft of the law, with its risk-based framework, can facilitate self-assessment by companies and monitoring of the market, he said.

Nonetheless, he said regulators already have a “toolbox” to deal with AI.

“Of course, this toolbox can be made better,” he added. “But it doesn’t mean that we are defenseless at the moment.”

Centralized GDPR enforcement

European privacy regulators are also considering reforms to GDPR, focusing on making the law’s enforcement smoother across borders, Wiewiórowski said.

A review will kick off next year, laying the basis for the European Parliament and European Commission to propose changes in 2025, Wiewiórowski said. No material changes will be made to European data protection law in the near term, he added.

Procedures for enforcement of the General Data Protection Regulation, the landmark EU privacy law that became effective in 2018, can fall short when complaints span multiple member states, Wiewiórowski said.

“You have the complaints, which are coming from 29 countries, and the 30th country is the one where the procedure is done,” he said.

GDPR allows individuals to bring complaints to their national data protection authorities about how their personal data has been handled.

The answers to questions like how fast or how robust the process is may differ from country to country or when dealing with big tech, he added.

Wiewiórowski has called for the enforcement of GDPR to become more centralized to help address the uneven approaches to enforcement.

“I’m not talking about one central body or one central data protection authority being established, but rather the role of the EDPB, European Data Protection Board, as this body which is connecting all the data protection commissioners in Europe,” he said.

US-EU convergence?

The lack of a federal privacy law in the US isn’t necessarily a major hurdle to alignment with the EU, Wiewiórowski said. Some countries without comprehensive data protection laws are acceptable to the EU, while others—such as China and Russia—do have comprehensive privacy laws but aren’t recognized as privacy-friendly by the EU, he added.

“What are the main differences? Well, somebody said years ago that the definition of hell in privacy law would be European law with American enforcement,” he said. “In my opinion that would be rather a good solution.” Europeans are good at creating legal grounds for privacy protection, and the US is good at point-by-point enforcement, he added.

“So let’s not talk that much about differences. We know them. We know that they exist,” he said. “Let’s try to talk about the ways to build bridges and to cooperate together, which is possible.”