The European Data Protection Supervisor (EDPS) has published, on June 3rd 2024, its orientations on generative Artificial Intelligence (generative AI) and personal data for EU institutions (EUIs). The guidelines aim to provide some practical advice to the EUIs to ensure that they comply with the data protection obligations set out in data protection Regulation (EU) 2018/1725, when using or developing generative AI tools.
These initial orientations emphasise general principles of data protection, combined with concrete examples, but do not prescribe specific technical measures. Some of the main conclusions of the EDPS are set out below:
- EUIs must consider carefully when and how to use generative AI responsibly and beneficially for public good.
- Regular monitoring and the implementation of controls at all stages of a generative AI solution life cycle can help to verify that there is no personal data processing, in cases where the model is not intended for it.
- From the organisational perspective, the implementation of generative AI systems in compliance with the data protection regulation should not be a one-person effort. There should be a continuous dialogue among all the stakeholders involved (DPO; legal service, IT service and Local Informatics Security Officer) across the lifecycle of the product.
- Data protection risks must be identified and addressed throughout the entire life cycle of the generative AI system.
- The careful design of well-structured datasets, to be used in systems that prioritise quality over quantity, following a properly supervised training process, and subject to regular monitoring, is essential to achieve the expected results.
- Despite the efforts to ensure data accuracy, generative AI systems are still prone to inaccurate results that can have an impact on individuals´ fundamental rights and freedoms.
- The application of procedures and best practices for bias minimisation and mitigation should be a priority in all stages of the lifecycle of generative AI systems.
- Data controllers should, in addition to the traditional security controls for IT systems, integrate specific controls tailored to the already known vulnerabilities of these AI systems.
These orientations are a first stage towards more detailed guidance that will consider the evolution of generative AI systems and technologies, their use by EUIs, and the results of the EDPS’ monitoring and oversight activities.