Lately, artificial intelligence (AI) editors have been in the spotlight for their management of personal data. AI systems, based on machine learning, often depend on massive volumes of data, much of which is personal data. The General Data Protection Regulation (GDPR) imposes strict obligations in terms of transparency, lawfulness and respect for individuals' rights, obligations that fully apply to generative AI technologies.
The GDPR is based on fundamental principles that apply to AI systems processing personal data. Their implementation in this context presents specific challenges linked to the nature of machine learning technologies.
Article 5(1)(a) of the GDPR requires data processing to be carried out in a transparent manner. For AI systems, this means clearly informing individuals about the collection, use and purposes of the data. For AI, this transparency is particularly complex due to the inherent opacity of some algorithms (such as deep neural networks).
The onus is on the developers of generative AI to clearly explain how data shapes the decisions made by their models, but the transparency of these algorithms is complex, both because the algorithms are so sophisticated and because of the need to preserve the industrial secrets and intellectual property of AI publishers.
According to Article 5(1)(c), only data necessary for the purpose of the processing operation should be collected. In AI, where models thrive on vast data sets, this principle may seem contradictory. Publishers must justify each piece of data they use and consider alternatives such as federated learning or synthetic data to reduce their dependence on personal data.
Article 6 of the GDPR requires a lawful basis for any processing, such as consent, performance of a contract or legitimate interest. For AI systems, obtaining explicit consent can be difficult, particularly when collecting data on a massive scale or re-using data. Legitimate interest, often invoked, requires a delicate balance with the rights of individuals, which can be challenged by data protection authorities.
Articles 15 to 22 of the GDPR guarantee rights such as access, rectification, erasure ("right to be forgotten") and objection. In AI, these rights pose technical challenges: for example, removing data from a trained model may require costly retraining. Software publishers need to design systems that can respond to these requests, thereby respecting privacy by design. However, implementing this privacy by design would mean a significant loss of revenue for AI publishers, in addition to the technical difficulty of putting it in place.
The CNIL in its recommendations on AI systems of 8 April 2024 issued guidance to support AI editors in their compliance with the GDPR, offering practical solutions to the challenges identified.
These recommendations underline the need for a proactive approach, which is essential if sanctions are to be avoided.
Recent sanctions reveal the legal risks facing AI editors and highlight the demands of regulatory authorities.
On 20 December 2024, the Italian data protection authority (Garante) fined OpenAI €15 million for breaches of the GDPR. The grievances included processing data without a legal basis (Articles 5§2 and 6 of the GDPR), lack of transparency (Articles 12 and 13 of the GDPR), production of inaccurate data (AI hallucination) and failure to notify a data breach that occurred in March 2023 (Article 33 of the GDPR). In addition, OpenAI had not put in place adequate systems to protect minors from inappropriate content generated by its AI, i.e. a failure to verify the age of users (articles 24 and 25§1 of the GDPR). OpenAI was forced to launch an information campaign in Italy to make users aware of ChatGPT's data collection practices. In France, Mistral AI, the famous French generative AI unicorn, is also the subject of a complaint to the CNIL. The complainants accuse the company of failing to obtain user consent for the training of these models (article 7 of the GDPR) and of failing to provide clear information on the data collected (article 12 of the GDPR).
These surveys show that it is difficult for generative AI to absorb massive amounts of data as input in order to function while complying with the GDPR.
Clearview AI, a US facial recognition company, has been fined several times in Europe for collecting and processing biometric data without a legal basis. In France, the CNIL imposed a fine of €20 million in 2022, followed by a further penalty of €5.2 million in 2023 for failure to comply with the injunctions. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) fined Clearview AI €30,500,000 on the same grounds. Fines were also imposed in Italy, Greece, the Netherlands and the United Kingdom. These sanctions illustrate the severity with which European regulators are dealing with breaches involving sensitive data. Clearview AI, a company based in Manhattan in the United States, refuses to comply with the European sanctions and even to pay the fines, and has not changed its behaviour since then, engaging in a tug-of-war with the European regulators. As a result, the Dutch regulator is considering imposing sanctions and holding the company's directors responsible, in the same way as the French courts did in the case of Telegram.
In June 2023, the Swedish Data Protection Authority (IMY) fined Spotify €5 million for failing to provide sufficiently detailed information in response to user access requests. Spotify uses AI for its music recommendations.
Although Spotify did provide some information, it was unclear how the data was used by its recommendation algorithms.
AI editors therefore face increasing risks:
To ensure compliance, AI players must:
By anticipating legal risks and taking a proactive approach, AI editors can not only avoid costly penalties, but also strengthen user confidence and their market position.
Striking a balance between essential compliance with the guarantees imposed by the GDPR and the need for European artificial intelligence systems to perform is a major challenge today. This challenge arises in a particularly tense geopolitical context, where each normative constraint on performance can significantly penalise the nations involved in the AI race.
When it was adopted in April 2016, the GDPR did not anticipate the rapid and massive emergence of generative AI, which is now accessible to the general public. These new technologies, which process huge volumes of personal data on a daily basis, now raise a key question: is the GDPR already on the way to becoming obsolete in the face of this major technological innovation?
If you are faced with these issues, the expert lawyers at Deprez Guignot et Associés, who specialise in GDPR and artificial intelligence law, will be able to provide you with expert support.