A Balancing Act: Data Protection Compliance of Artificial Intelligence

Abstract

Abstract Neural network based generative artificial intelligence (GenAI) systems, in particular large language models (LLMs), hold huge potential for economic, scientific, and artistic progress. However, they are also the subject of ongoing fierce data protection debates. Some even doubt whether GenAI systems can4, at least in principle, comply with the General Data Protection Regulation (EU) 2016/679 (GDPR). This issue was highlighted by a temporary ban of ChatGPT by the Italian data protection authority in March 2023. To answer the question of possible compliance with the GDPR, this paper will first illustrate relevant technical aspects and then examine the extent to which GenAI systems process personal data. A distinction will be made between training, use, and the system itself as stored on a hard drive. On this basis, this paper addresses the key question of the lawfulness of the respective processing activities, bearing in mind that each specific use case of any GenAI system requires a specific data protection assessment. While the issues discussed in this paper are relevant to GenAI systems in general, they are particularly relevant to LLMs trained on large amounts of text-based personal data. As one result, the analysis identifies serious challenges in the application of the GDPR to LLMs. However, with no significant updates to the relevant GDPR provisions in sight, this paper aims to show how pragmatic solutions are both necessary and largely possible even under the current legal framework. This includes practical guidance for developers and users on how to ensure compliance.