- On May 6, 2024, the German Data Protection Conference (“DSK”),published a guidance on the use of generative AI (“DSK GenAI”) incompliance with the General Data Protection Regulation (“GDPR”). The DSK is a collective body of seventeen data protection authorities in Germany.
- The DSK GenAI guidance aims to assist organizations in the GDPR compliant selection, implementation, and use of GenAI tools. While the guidance specifically focuses on Large Language Models (“LLMs”) it is also applicable to other AI applications.
- The guidance does not cover provider-related issues concerning the development or training of GenAI. Rather, it is directed at organizations deploying GenAI tools and, indirectly, at developers, manufacturers, and providers of AI systems. Organizations must ensure the legal field of application and compliance with data protection regulations during the training of AI applications.
- The legal basis for processing personal data varies depending on whether the deployer is a public or non-public body and the field of application.
- The guidance also lays down that transparency requirements under GDPR must be fulfilled, including regarding input and output history. Further, Data subject rights, such as rights to rectification and erasure, must be provided.It also mandates the involvement of data protection officers and employee representatives in decisions regarding AI applications.
- Other key features of the guidance include ensuring that responsibilities of external providers and joint controllers are clearly demarcated and defined,there exists adequate documentation of internation regulations determiningthe conditions and specific purposes for the use of AI applications, a Data Protection Impact Assessment is done before any personal data is processed and, lastly, principles of data protection — both by design and bydefault — are considered when designing AI systems.
- The GenAI guidance is significant for providing a structured approach for companies to navigate complex AI topics as well as in facilitating the adoption of AI deployment in a way that complies legally with GDPR. This guidance is one of the several steps taken by DSK to maintain Germany's leading position in the wide spread policy discussion regarding AI regulationin Germany and the EU.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.