Abstract
Abstract Neural network based generative artificial intelligence (GenAI) systems, in particular large language models (LLMs), hold huge potential for economic, scientific, and artistic progress. However, they are also the subject of ongoing fierce data protection debates. Some even doubt whether GenAI systems can, at least in principle, comply with the General Data Protection Regulation (EU) 2016/679 (GDPR). This issue was highlighted by a temporary ban of ChatGPT by the Italian data protection authority in March 2023. To answer the question of possible compliance with the GDPR, this paper will first illustrate relevant technical aspects and then examine the extent to which GenAI systems process personal data. A distinction will be made between training, use, and the system itself as stored on a hard drive. On this basis, this paper addresses the key question of the lawfulness of the respective processing activities, bearing in mind that each specific use case of any GenAI system requires a specific data protection assessment. While the issues discussed in this paper are relevant to GenAI systems in general, they are particularly relevant to LLMs trained on large amounts of text-based personal data. As one result, the analysis identifies serious challenges in the application of the GDPR to LLMs. However, with no significant updates to the relevant GDPR provisions in sight, this paper aims to show how pragmatic solutions are both necessary and largely possible even under the current legal framework. This includes practical guidance for developers and users on how to ensure compliance.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.