The European Data Protection Board (EDPB) has released an opinion addressing the challenges of managing personal data in artificial intelligence (AI) systems. The guidance aims to set the stage for harmonised General Data Protection Regulation (GDPR) compliance across Europe. The guidance, requested by the Irish Data Protection Commission (DPC), focuses on critical issues such as anonymity, legitimate interest, and the implications of using unlawfully processed data in AI development and deployment.
“AI technologies may bring many opportunities and benefits to different industries and areas of life,” said EDPB Chair Anu Talus. “We need to ensure these innovations are done ethically, safely, and in a way that benefits everyone. The EDPB wants to support responsible AI innovation by ensuring personal data are protected and in full respect of the GDPR.”
The EDPB highlights anonymity as a cornerstone of GDPR compliance in AI. It asserts that determining whether an AI model is anonymous must be handled on a case-by-case basis by data protection authorities (DPAs). For an AI system to qualify as anonymous, it must not enable the identification of individuals or allow for the extraction of personal data through queries. The opinion offers guidance on techniques to achieve anonymity but avoids prescribing a single approach, acknowledging the dynamic nature of AI technologies.
The use of legitimate interest as a legal basis for personal data processing is another focal point of the EDPB’s opinion. It introduces a three-step framework to assist DPAs in evaluating whether this basis is appropriate. Legitimate interest may apply in cases such as virtual assistants and cybersecurity tools, provided that data processing is necessary and individual rights are respected.
The opinion also outlines criteria to determine whether individuals can reasonably expect their data to be used in AI systems. These criteria include whether the data was publicly available, the context of the collection, the nature of the relationship between individuals and data controllers, and the transparency around how the data will be used. Emphasising transparency, the EDPB urges organisations to ensure users are aware of how their online data might contribute to AI development.
The EDPB warns that using unlawfully processed data during AI development could render an AI model’s deployment non-compliant with GDPR. The opinion stresses that robust anonymisation measures are critical to mitigate these risks and to ensure that privacy protections remain intact in AI applications. This guidance seeks to reinforce accountability for organisations handling sensitive personal data.
Reactions from stakeholders
The Irish Data Protection Commission welcomed the EDPB’s guidance, highlighting its importance in establishing consistent regulatory standards across the European Union and European Economic Area. The DPC emphasised that the opinion provides supervisory authorities with the tools to address the societal and legal implications of AI technologies in a responsible and uniform manner.
On the industry side, the Computer & Communications Industry Association (CCIA Europe) recognised the opinion as a significant step in clarifying the use of personal data for AI development.
“The EDPB’s confirmation that ‘legitimate interest’ is a lawful basis for processing personal data in the context of AI model development and deployment marks an important step towards more legal certainty,” said CCIA Europe’s senior policy manager Claudia Canelles Quaroni. “It means that AI models can be properly trained using personal data. Indeed, access to quality data is necessary to ensure that AI output is accurate, to mitigate biases, and to reflect the diversity of European society.”
However, Quaroni warned that the lack of clear legal frameworks could hinder Europe’s competitiveness in AI-driven innovation, leaving businesses and consumers at risk of missing out on advanced technologies. She also cautioned that the EDPB opinion grants significant discretion to national data protection authorities, which could lead to inconsistent interpretations of EU privacy laws without sustained dialogue between regulators, industry players, and other stakeholders.
Read more: Council of Europe launches first legally binding AI treaty to protect human rights and democracy
