Operational impacts of the EDPB's opinion on data protection in AI models

The European Data Protection Board's long-awaited Opinion 28/2024 addressed whether, and under which circumstances, artificial intelligence models can be regarded anonymous and whether legitimate interests can be a valid legal basis during the development and deployment of AI models.

The EDPB advised data protection authorities to consider the anonymity status of AI models on a case-by-case basis, as it "considers that AI models trained with personal data cannot, in all cases, be considered anonymous," and confirmed legitimate interest can be used as a legal basis by AI developers for model training, as long as the three-step test is passed.

Much more than that, though, the 17 Dec. 2024 opinion also indirectly gives data protection and AI governance professionals insights on operationalizing its recommendations in practice.

Establish a procedure to assess anonymity of AI models, risk of personal data identification

The EDPB's opinion encourages an ad hoc assessment of anonymity and a "thorough evaluation of the risks of identification," providing a list of criteria to consider. This assessment shall document, among others, the likelihood of direct extraction of personal data used for training and the likelihood of obtaining personal data from queries.

A new procedure and a risk assessment template must, therefore, be established that will not only assess the risk identification from the side of the data controller but also the third parties that could potentially access or reuse the AI model. A reference to this new procedure must also be included in the internal privacy by design and/or privacy notice as well.