"AI Flash" The Change of Purpose in the Use of AI.

After we highlighted the legal basis for data protection in the use of AI in our last AI Flash, we would like to continue to provide you with legal impulses at regular intervals. Since time is a rare commodity in today's society, we want to get straight to the point with our "AI Flash" and summarize the legal challenges briefly and concisely:

Today's topic: the change of purpose when using AI.

Article 5 para 1 lit. b) of the GDPR states that personal data must be collected for "specified, explicit and legitimate purposes" (the so-called purpose limitation principle). Before the data is collected, it must therefore be clear what the data will be used for. But why does this pose a challenge, especially when using AI?

Where does all the data come from?

As we have already indicated in our previous AI Quickies, an AI must first be trained - and usually with a sufficiently large amount of data. Now the question will quickly arise as to where all this data should come from. From a business point of view, it is easy to understand why existing (customer or employee) data sets should be used. After all, the data already exists anyway.

The purpose limitation principle as a brake

And this is where we come to the issue of purpose limitation: It can be assumed that, as a rule, employee data, for example, was not collected with the intention of (also) using it for the purpose of training an AI. Therefore, if - and this will again be the rule - there is no consent of the data subjects and no other legal basis allows the use of data for a different purpose (a classic example for the case of legal disputes is Section 24 para 1 BDSG), a closer look must be taken at the provision of Article 6 para 4 GDPR.

Are the purposes compatible?

Article 6 para 4 GDPR provides for a so-called compatibility check in the aforementioned cases. As if the word itself were not already complicated enough, the controller has to consider a whole range of - non-exhaustive - requirements in the above cases. What is the connection between the purposes? In what context was the data collected? What consequences are to be feared and, if necessary, can encryption or pseudonymization procedures be taken into account as "suitable safeguards"? In addition, the "classic" question always arises as to whether - in addition to the requirements of Article 6 para 4 of the GDPR - there must be a (further) legal basis within the meaning of Article 6 para 1 of the GDPR.

So what is to be done?

In summary, it can be stated that the use of personal data for a different purpose - especially when using AI - should always be thoroughly examined. In addition, the information obligations from Article 13 para 3 of the GDPR as well as a corresponding adjustment in the list of processing activities pursuant to Article 30 para 1 of the GDPR must be observed.

If possible, however, care should already be taken when collecting the respective data to ensure that the purpose of the data processing is defined as broadly as possible from the outset and that appropriate information is provided to the data subjects. But be careful: contentless phrases are inadmissible.

Our next AI Flash will deal with the training of an AI and the requirements to be observed here.