Editor's note: Part of a series on key data protection issues posed by large language models, this article discusses whether individuals can be considered controllers for their own inputs and outputs when using LLM chatbots. The interim report issued by the European Data Protection Board's ChatGPT Taskforce considers this a transfer of EU General Data Protection Regulation responsibilities to data subjects which violates the GDPR's fairness principle.
A contentious issue involving large language model chatbots is who should be considered the controller for inputs and outputs, and, therefore, responsible for data subjects' requests.
In its 15 July discussion paper, the Hamburg Commissioner for Data Protection and Freedom of Information stated LLMs do not store personal data and, therefore, the deployers of the LLM chatbot — rather than the provider of the LLM — should be responsible for data subjects' requests "at least regarding the input and the output of the LLM chatbot."
The Hamburg DPA refers to October 2023 guidance from Denmark's DPA, Datatilsynet, also stating AI models do not constitute personal data themselves, because they are only the result of the processing of personal data.
But what if the LLM chatbot is offered directly to consumers? Should individuals using it then be considered the controllers for their prompts and the resulting outputs?
Under the EU General Data Protection Regulation, individuals can indeed qualify as controllers, as the definition of "controller" covers both natural and legal persons.
In many use cases, such processing by natural persons would fall within the "household exemption" under subsection 2(c) of GDPR Article 2. This means any processing of personal data by these individuals falls outside the scope of the GDPR and they do not have to respond to requests from other data subjects relating to their inputs and outputs.
If the Hamburg DPA's opinion is followed, the provider of the LLM chatbot is also off the hook for servicing these requests. Therefore, the DPA's position would result in no one being responsible for responding to data subjects' requests in relation to inputs and outputs, leading to a gap in data protection.
First EDPB guidance on data subjects as controllers
The first European Data Protection Board guidance on the role of individuals as controllers is provided in the 24 May report of its ChatGPT Taskforce. The guidance states that the prompts that are inserted by data subjects into ChatGPT may well contain personal data, which may be used to update the LLM. Instead of considering the data subjects as controllers for their prompts, the taskforce explicitly states that a crucial aspect of the GDPR's overarching fairness principle is that there should be no transfer of responsibilities of an enterprise to data subjects.
"(T)he responsibility for ensuring compliance with GDPR should not be transferred to data subjects, for example by placing a clause in the Terms and Conditions that data subjects are responsible for their chat inputs. Rather, if ChatGPT is made available to the public, it should be assumed that individuals will sooner or later input personal data. If those inputs then become part of the data model and, for example, are shared with anyone asking a specific question, OpenAI remains responsible for complying with the GDPR and should not argue that the input of certain personal data was prohibited in first place."
Individuals as controllers: Not a new issue
The issue of whether individuals can act as controllers and the resulting transfer of risk from the enterprise to the individual is not new. The introduction of social media networks presented a similar conundrum, which has been adequately solved within the EU data protection framework. In 2008, the underlying issue was well phrased by the International Working Group on Data Protection in Telecommunications in its Report and Guidance on Privacy in Social Network Services – "Rome Memorandum."
"With respect to privacy, one of the most fundamental challenges may be seen in the fact that most of the personal information published in social network services is being published at the initiative of the users and based on their consent. While 'traditional' privacy regulation is concerned with defining rules to protect citizens against unfair or unproportional processing of personal data by the public administration (including law enforcement and secret services), and businesses."
As data subjects themselves publish their personal data on social networks, providers argued they were not responsible, that is did not qualify as the controller, for the processing of that personal data, but rather the data subjects themselves were responsible. This posed the question of whether EU data protection laws were also meant to protect data subjects from themselves and other data subjects. The EDPB's predecessor, the Article 29 Working Party, brought clarity in its 2009 opinion on how to apply EU data protection law to social network service.
"SNS providers are data controllers under the Data Protection Directive. They provide the means for the processing of user data and provide all the 'basic' services related to user management (e.g. registration and deletion of accounts). … SNS should ensure privacy-friendly and free of charge default settings are in place."
According to the WP29, network users who are uploading their personal data and the personal data of other data subjects, do not qualify as controllers provided their activities fall within the household exception. The WP29 states this depends on whether the user acts on behalf of a company or uses the platform to advance commercial, political or charitable goals, and whether access to the user's profile is provided to all members within the SNS.
This is the right conclusion mainly because where data subjects themselves are qualified as controllers, they — and other individuals whose personal data they upload — basically do not receive any protection. All responsibilities under the GDPR are then transferred to the individual, while this individual has no meaningful influence on the purposes and means of the LLM chatbot, other than choosing to use it in the first place.
Concluding thoughts
Enterprises cannot just launch new technologies, then take no responsibility for their use. As the EDPB's ChatGPT Taskforce rightly stated, "the principle of fairness pursuant to Article 5(1)(a) GDPR is an overarching principle" and a "crucial aspect of fairness is that there should be no risk transfer, meaning that controllers should not transfer the risks of the enterprise to data subjects."
LLM chatbot providers should take responsibility for the fact that it must be assumed that sooner or later data subjects will include certain personal data in their prompts and providers should not be able to argue that the data subjects are responsible for this input.
The issue is not whether the household exemption applies, it is about basic fairness principles which require companies to take responsibility for GDPR compliance. The main LLM chatbot providers already have dedicated channels in place to respond to data subject requests, and rightly so.
Lokke Moerel is senior of counsel at Morrison Foerster and Professor Global ICT Law at Tilburg University. Marijn Storm is of counsel at Morrison Foerster.
