Artifcial inteligence
Legal bases for the development and use of AI models
There are several legal bases for the development and use of AI models that may be appropriate to support the processing of personal data.
Requirement to have a legal basis
It is clearly regulated in the GDPR that a company must have a legal basis in order to carry out a processing of personal data. There are a total of six (6) legal bases under Article 6 of the GDPR.
Legal bases that companies can use if the business is private for the development and use of AI models that involve personal data processing
Consent
Consent may be a possible legal basis to use for personal data processing that takes place in connection with the development and use of the AI model. This applies provided that it meets the requirements for valid consent under the rules of the GDPR. However, it is often an inappropriate legal basis to use, especially when developing AI models, as it can be very burdensome administratively to handle so many consents. For example, it can be difficult to manage all withdrawn consents, and to inform all data subjects in accordance with the GDPR.
Requirements for valid consent
Voluntary
Consent must be given voluntarily. There must be no external influence to give consent. In such cases, it is not voluntarily provided. In other words, it should be a genuine and active choice from the data subject. In addition, it is prohibited to give negative consequences to the data subject if he or she does not give consent. It is also null and void if the consent is a requirement under the terms of the contract.
Inequality of power
If the relationship of power between the parties is unequal, it is not a valid consent. For example, when an employer processes personal data about an employee, or in the relationship of power between an government authority and citizens.
Informed
The data subject must be informed about the consent and what it means to give consent. The information shall be provided in a language which the data subject understands and which is easily accessible.
Possibility of withdrawal
It should be as easy to withdraw a consent as to give it. If this is not met, it is considered an invalid consent from the very beginning.
Contracts with data subjects
It is permissible to support a processing on the legal basis of a contract with data subjects, if the processing of the personal data is necessary for the conclusion or performance of the contract. Please note that this is not a common legal basis to use when developing an AI model. This is because the company would then need to enter into a contract with the data subjects that makes it necessary to process personal data in order to develop the AI model.
However, it may be more appropriate to use this legal basis for the use of a fully trained AI tool. In such cases, the processing of personal data in connection with the use of the AI model may be based on a contract with the data subject as a legal basis, where the processing is necessary for the performance of the contract.
Legitimate interest
Legitimate interest is the most flexible legal basis in the GDPR and is common to use.
In order to know whether a company has a legitimate interest in the processing of personal data, the company must first make a balance of interests. If the company concludes that their interest outweighs that of the data subjects through the balancing of interests, the company may carry out the processing. Please note, however, that the data subject has the right to object to the processing pursuant to Article 21 of the GDPR.
Three steps in the assessment of whether the company has a legitimate interest
It is possible to use legitimate interest as the legal basis in the development and use of AI models if the following three requirements are met:
1. Does the company or a third party have a legitimate interest in the processing of personal data?
Companies may have different types of interests and reasons for processing personal data. A legitimate interest is that the motive should be acceptable. In other words, the interests of the company outweigh the interests or fundamental rights and freedoms of the data subject. For example, in direct marketing, prevention of crimes such as fraud and money laundering, IT security and the like.
A legitimate interest shall be:
- In accordance with the legislation in force.
- Specifically and clearly stated.
- An actual interest, not just a hypothetical or speculative one.
2. Is the processing necessary in order to achieve the legitimate interest?
The starting point is that if there are less intrusive methods to achieve the same purpose, it is usually not a necessary processing. Please also note that the necessity of the processing must also be assessed on the basis of the principle of data minimisation. The processing can only be considered necessary if it is strictly limited to what is required to achieve the purpose.
3. Does the legitimate interest of the company outweigh the interest of the data subject in the protection and non-processing of personal data?
If a company considers that it has a legitimate interest, it must then weigh up those interests. This shall include, inter alia, processing that data subjects can reasonably expect. Here are a few more factors to take into account when balancing the interest against each other:
What kind of interest does the company have? For example, is it a general interest, fundamental right or similar.
Can anyone be harmed if the processing is conducted? For example, if the processing involves the storage of credit card data, which could lead to financial consequences if someone unauthorized accesses them.
What is the relationship of power between the parties? For example, if there is an unequal power relationship, such as between an employer and its employee.
Is the data subject a child or an adult? Children are particularly worthy of protection and therefore special care should be taken when processing children's personal data.
Is the company powerful? If it is a very powerful company that dominates the market, the relationship between the parties can be very unequal.
How extensive is the processing of personal data? The larger the scope, the higher the risk. If there is any profiling, it can also be more problematic.
Are there any fundamental rights of the data subject that may be adversely affected?
What are the advantages and disadvantages of the processing for the data subjects?
Examples of when legitimate interest is an appropriate legal basis for the development and use of AI models: AI model to suggest travel destination to customers
A company that operates a travel booking service wants to develop an AI model, in order to be able to suggest travel destinations to customers. The training data consists of the travel history of the customers, but no direct identifiers, such as name and social security number, are used. In addition, the company chooses to train the AI model with a small amount of data at a time until they achieve the desired result, to ensure that they live up to the requirements of the principle of data minimisation.
Steps in the assessment of the legitimate interest
Here are three steps to determine whether the interest of the company outweighs the interest of the data subjects, i.e. whether the company has a legitimate interest for the processing.
1. Assess whether there is a legitimate interest
First of all, the company needs to establish that they have a legitimate interest in the processing. In this case, the company has a commercial interest in developing an AI model that will be able to suggest trips to customers, based on customers’ preferences. This may be a legitimate interest. In addition, it must be lawful, specific and constitute an actual interest, as it also appears to be in this case.
The information indicates that the company has a legitimate interest.
2. Determine if it is a necessary personal data processing
The processing must be necessary to achieve the purpose, which means, inter alia, that it must comply with the principle of data minimisation. In order not to process more personal data than necessary for the purpose, the company has gradually entered data until the AI model works as intended. Therefore, the company has ensured that the processing is carried out in accordance with the principle of data minimisation.
The information suggests that it constitutes a necessary personal data processing.
3. The final step is to conduct a balance of interests. Please note that it must be in writing.
The final step is to balance the interests of the data subjects and the company. In this case, the legitimate interest does not constitute a public interest and there is no risk of harm to the company if the interest cannot be satisfied. In addition, the aim is to have a positive impact on data subjects, as they receive travel recommendations that suit them based on their own preferences and travel history.
It is not beyond reasonable expectation that the company uses information, such as travel history, to produce offers that are to the company’s advantage.
In this case, the interests of the data subjects do not seem to outweigh the legitimate interest of the company in the processing. Thus, it may be permissible to support the processing on the basis of legitimate interest as the legal basis.
Examples of when legitimate interest is not an appropriate legal basis for the development and use of AI models:
Develop an AI-based tool that can correct tests
A company wants to develop an AI-based tool that can correct tests. They therefore request hundreds of thousands of corrected tests from schools on the basis of the principle of public access to official records (a similar principle exists in many EU countries).
Three steps to determine whether the company has a legitimate interest
1. Assessment of the legitimate interest
There may be a legitimate interest in wanting to develop an AI-based tool that can correct tests, for a commercial purpose, i.e. to make money from it. In addition, the purpose must be lawful, specific and constitute a vested and present interest, as appears to be the case here. In other words, the company appears to have a legitimate interest in developing such a system.
2. Assess whether it is a necessary processing of personal data
If a company considers that it has a legitimate interest in a particular processing operation, it must then assess whether the processing is necessary to achieve the purpose. In order to determine this, the company must ensure that the processing complies with the principle of data minimisation. In other words, the company may not process more personal data than necessary.
In this case, the company requests out a large number of samples, and there is no information that they have analyzed which of them are actually necessary to train the AI model. The company has also not started with a small amount of data, and then continuously input more until the AI model is sufficiently trained. In other words, the company has not taken sufficient steps for the processing to be considered as meeting the requirements of the principle of data minimisation.
Conclusion
The company appears to have a legitimate interest in the processing, but the processing cannot be considered necessary to achieve the legitimate interest. Therefore, the processing is not allowed. Since the conclusion here already shows that the processing is not permitted, a balancing of interests (step 3) does not need to be carried out.
Legal bases that are difficult to support the processing
Legal obligation
There is little scope for using legal obligation as the legal basis for the development and use of AI models. Legal obligation means that it is regulated in a law, regulation or collective agreement that the company must process the personal data.
Protecting fundamental interests
The protection of fundamental interests may only be used as a legal basis if it is strictly necessary to carry out the processing in order to save lives. It is an unusual legal basis to use, as only a few different types of activities save lives. Hospitals are examples of activities that use this legal basis when a person enters the hospital unconscious. Please note that it is not possible to use this legal basis if, for example, the person is able to give consent, such as when a person has booked an appointment with a doctor and is aware. It is difficult to argue that the development or/and use of an AI model would save someone’s life and therefore it is highly unlikely that this legal basis would be applicable to it.
If the enterprise is a public entity
In some cases, it is possible for private companies to be active in the public sector. For example, a private school or hospital. The main legal bases that public entities can use in the development and use of AI models are:
- Contracts with data subjects.
- Legal obligation.
- A task carried out in the public interest or in the exercise of official authority.
Learn more
Information obligation in the development and use of AI models
Under the GDPR, companies must inform data subjects about the processing of their personal data. This is usually done in a privacy notice that is often found on the company’s official website. It shall state, among other things, which personal data are processed, how long the processing takes place, what rights the data subjects have, etc. The privacy notice shall be drafted in the language understood by data subjects, often the national language, and shall not be too complex.