"KI-Flash": Publication of the discussion paper “Legal bases with regard to Data Protection Laws when using Artificial Intelligence”

“KI-Flash”: State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg publishes discussion paper “Legal bases with regard to Data Protection Laws when using Artificial Intelligence”

In our last KI Flash article, we did take a look at legal requirements regarding the planned EU AI legislation, the EU AI Act. (cf. here)

Current topic: Publication of the discussion paper “Legal bases with regard to Data Protection Laws when using Artificial Intelligence” on November 7^th, 2023

On November 7^th, 2023, the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg (“Commissioner”) published a discussion paper “Legal bases with regard to Data Protection Laws when using Artificial Intelligence”. Version 1.0 can be found here (German only).

We want to provider a brief overview of the discussion paper.

First of all, the Commissioner acknowledges that the EU General Data Protection Regulation (“GDPR”) does not contain any specific requirements for the use of artificial intelligence (“AI”). The GDPR is only applicable, if personal data is processed. If this is the case, a controller must comply with all GDPR requirements.

The Commissioner then examines the various phases of processing personal data. In accordance with the current state of discussions, these phases are (at least) as follows:

1. Collection of training data for AI.
2. Data processing for training AI applications.
3. Provision of AI applications.
4. Use of AI applications.
5. Use of results after deploying AI applications.

For each processing phase, it must be determined in terms of the GDPR (a) who the controller is (Article 4 (7) GDPR), (b) whether there is joint controllership (Article 26 GDPR), and (c) who may be acting as a processor (Article 4 (8) GDPR).

According to the discussion paper, two (or more) companies merging their respective data sets for AI training would be an example of joint controllership. Furthermore, the Commissioner mentions a company using a service provider that is offering a cloud-based AI application as an example for a company engaging a processor.

The discussion paper goes on to discuss the various legal bases for processing personal data under the GDPR. If the respective requirements are met, any legal basis could generally be used in individual cases to process personal data using an AI application as well as for training an AI application. The Commissioner is also examining other legal bases in German national law, e.g. for employee data protection in accordance with Section 26 German Federal Data Protection Act (“BDSG”).

Towards the end of the discussion paper, the Commissioner provides a short checklist for AI processing operations.

The Commissioner provides very clear and practical statements and examples. We assume that some statements are likely to be discussed in more detail than others, but that is ultimately the purpose of a discussion paper. All interested parties are invited to take part in the discussion.

As announced, we want to address the risk-based approach of the planned EU AI Act in our next KI Flash.