0
An image of the flag of Europe, which consists of twelve golden stars forming a circle on a blue field.

EDPB Opinion on AI Models and GDPR Principles: Key Takeaways

AI & Algorithms, EEA & UK, EU, GDPR , , , , ,
In December 2024, the European Data Protection Board (EDPB) issued an Opinion in response to a request from the Irish supervisory authority, focusing on the application of GDPR principles in the context of AI models. The Irish supervisory authority posed three specific questions:
  1. When and how can an AI model be considered “anonymous”?
  2. What is the appropriateness of legitimate interest as a legal basis for AI deployment and development?
  3. What are the consequences of unlawful processing of personal data on subsequent operations of the AI model?
Through its answers, the EDPB provided key guidance on how AI models interact with fundamental rights to privacy and data protection established in the GDPR.

Anonymous AI Models

According the EDPB, “[f]or a model to be anonymous, it should be very unlikely 1) to directly or indirectly identify individuals whose data was used to create the model, and 2) to extract such personal information from the model through queries.” While anonymous data can help mitigate privacy concerns, it does not automatically make the AI model completely exempt from GDPR compliance. When a model is claimed to be anonymous, supervisory authorities will evaluate the claims of anonymity on a case-by-case basis, considering “all the means likely to be used” by the controller or a user. The Opinion states that supervisory authorities should review the documentation provided by the controller when assessing if the model is truly anonymous. The EDPB outlines methods that the controller may use to demonstrate anonymity, which may include: 1) reducing the amount of personal data used during training, 2) taking steps to ensure this data cannot be identified, and 3) utilizing technical safeguards to prevent data extraction from the AI model using prompts or queries. Key Takeaway: If a business claims an AI model relies on anonymous data, the claims of anonymity should be substantiated on a case-by-case basis with sufficient evidence and documentation. To do this, businesses with allegedly anonymous AI models may need to implement technical measures to limit the collection of data, reduce the likelihood of data being identifiable, protect against that data being extracted by users during deployment, and create documentation capable of demonstrating these efforts.

Legitimate Interest as a Legal Basis

Under the GDPR, a legitimate interest may constitute a legal basis for companies to process personal data when they have a justifiable reason to do so (beyond obtaining consent). However, the legitimate interest should be balanced against the data subject’s rights and interests, which requires careful consideration and justification when processing information from data subjects. The Opinion provides a framework to assess if a legitimate interest can be a valid legal basis for processing personal data in AI development and deployment. The framework is comprised of a three-step test:
  1. Identify the legitimate interest pursued by the controller;
  2. Assess the necessity of the processing for purposes of the legitimate interest; and,
  3. Balance the legitimate interests against the rights and freedoms of the data subjects.
When conducting this test, the controller should be careful to identify an interest that is lawful, clearly articulated, and non-speculative. For example, a legitimate interest may be to develop an AI model’s conversational agent or to improve threat detection in an information system. The controller should also adhere to GDPR data minimization principles, which state that the processing activities must be proportionate and in line with only what is necessary to achieve the legitimate interest. Finally, controllers should conduct a nuanced balancing test. This test considers the unique circumstances of each case, which may include the data subject’s interest in retaining control over their data, personal benefits, or socioeconomic interest. The Opinion notes, the more precisely an interest is defined in relation to the purpose of the processing, the more precise the estimation of benefits and risks will be. By employing this framework, developers and deployers should be able to decrease the likelihood that their AI models are disproportionately infringing on individual privacy rights and better align their AI practices with GDPR requirements. Key Takeaway: The three-step analysis, according to the Opinion, is crucial to improving compliance for organizations relying on legitimate interest as a legal basis for processing in AI development or deployment. Organizations relying on legitimate interest in this AI context should review their processing activities to determine whether they are proportionate, transparent, and aligned with GDPR principles—like data minimization—to justify the reliance on legitimate interest as a legal basis for processing.

Consequences of Unlawful Processing

The Opinion notes that supervisory authorities enjoy discretionary powers to investigate and assess violations, and they can choose appropriate remedial measures based on the context of the case. However, the EDPB also provides guidance for the supervisory authorities, based on three scenarios.
  1. In the first scenario, personal data is retained in the AI model. The Opinion states that supervisory authorities will need to consider the surrounding circumstances of the AI model to determine if the development and deployment phases of the model involve different legitimate purposes for processing. If so, each should be examined separately.
  2. In the second scenario, personal data is retained in the model and is processed by another controller during deployment. In this instance, the supervisory authorities should determine if the deploying controller conducted an appropriate assessment to demonstrate accountability with Articles 5(1)(a) and 6 of the GDPR. This assessment should show that the AI model was not developed by unlawfully processing personal data.
  3. In the final scenario, a controller unlawfully processes personal data to develop the AI model, and then anonymizes the data before processing it in the context of deployment. The Opinion states that, if it can be demonstrated to the supervisory authorities that the deployment of the AI model does not entail the processing of personal data, then the GDPR does not apply. Therefore, the unlawfulness of the initial processing in development should not impact the deployment operation of the model.
While supervisory authorities do have substantial discretion in oversight of processing activities, the scenarios highlighted by the EDPB show that the development and deployment phases, while connected, may need to be evaluated independently. Key Takeaway: Organizations should proactively ensure compliance at both the development and deployment stages of an AI model. Supervisory authorities will likely use the above examples as guidance, emphasizing the important of demonstrating lawful practices through each stage of the model. The EDPB’s Opinion is an important guide for organizations navigating the intersection of AI and data privacy law. By addressing issues around anonymous AI models, legitimate interest, and lawful processing in development and deployment stages, the Opinion emphasizes responsible AI development. As AI technologies continue to advance, businesses should be aware of the ways supervisory authorities are overseeing their AI models. The insights provided by the EDPB provide a foundation to help businesses to advance and develop new AI models, while also helping to safeguard and protect the rights of individuals.
0
Image of computer circuitry in a harsh red tint.

The Risks of LLMs and Generative AI

AI & Algorithms, CCPA, Children, EEA & UK, GDPR
[Modified version originally published as International Insights Article: Privacy implications for organizations using generative AI, by Lily Li, on OneTrust DataGuidance, June 2023.] Well, the cat is out of the bag – or at least the chat is. Generative AI and large language models (“LLMs”) are here to stay. From philosophical conversations between the dead to Murakami-inspired artworks for downtown LA, the possibilities of user-friendly AI are limitless. Regulators are scrambling to enforce existing legislation and enact new legislation to contain this trend. But, like all enforcement, it will take time. As a result, many companies are moving quickly to adopt and deploy these tools, testing the legal and ethical boundaries of AI. To stay competitive, companies should not wait for data protection regulators to play cat-and-mouse games with these nascent technologies. Instead, companies need to be proactive and adopt strategies to implement transparent and trustworthy AI – not just to avoid lawsuits and regulatory fines – but to protect their data and their brands. Companies also need to be able to account for the data they input into their generative AI or LLM algorithms, or else risk destruction of these algorithms altogether. In this article, we’ll discuss the latest privacy and security risks from generative AI and LLMs, a few of the existing privacy laws that apply to these technologies, and the potential for algorithmic disgorgement or deletion in response to privacy violations.   Social Engineering and Identity Verification Generative AI has clearly passed the Turing test. From all outward appearances, companies and their employees cannot tell the difference between human-generated and AI-generated text. This makes it easier for traditional phishing emails and other scams to look legitimate to readers — making it far more likely for employees to click on malicious links and download malware. Going one step further, generative AI can create realistic identities. From resumes to cover letters, online social media profiles to sample work product, these tools can improve a threat actor’s ability to pass itself off as a well-rounded individual, bypassing normal screening tools and even HR processes. In this era of remote work, it is easy to imagine malicious actors getting onboarded and hired due to their made-up “skills” and turning into insider threats once they gain access to company systems. This risk increases for companies that rely on virtual assistants and employees, where there are even fewer external validations of identity. While companies often rely on phishing training and cyber insurance to mitigate traditional cyber-attacks, this is not enough going forward. Many cyber insurance policies exclude social engineering attacks, exclude activities involving managers or other high-level employees, or confine social engineering and phishing attacks to technological attacks and not traditional identity theft, crime, and fraud. Consequently, companies should consider AI-based email filtering systems and EDR/MDR systems to combat sophisticated phishing attacks. Security awareness training should extend beyond phishing training and include identification verification and reporting of suspicious activity across the organization. Companies should also consider HR and other vendor onboarding policies to include in-person vetting or other external validation for recruiting and outsourcing.   Privacy and DSAR Risks
  • Is Processing of Personal Data for Generative AI Lawful?
Large language models, and similar machine learning tools, have a privacy problem. All these systems rely on processing vast quantities of public and sometimes proprietary data to generate responses and analysis. Absent further safeguards, these inputs will likely contain personal data. Which then begs the question, where does this data come from and is the processing lawful? This question came to a head recently in Italy, where data protection authorities issued a temporary ban on ChatGPT,[1] citing OpenAI’s failure to provide transparent notices regarding how it processes the personal data of users and data subjects (required under Articles 12, 13, and 14 of the GDPR). More importantly, the authorities found no legal basis under Article 6 of the GDPR for the collection and processing of personal data to train OpenAI’s algorithms. Impacted data subjects did not consent to the processing and, reading between the lines, OpenAI’s legitimate interest was an insufficient basis for processing given the: (i) failure to provide notice; (ii) inability to correct and delete data; and (iii) heightened privacy risks for children due to the lack of age verification techniques. OpenAI subsequently addressed Italy’s concerns in sufficient detail to resume services,[2] but it remains unclear whether other data protection regulators in the EU will also confront OpenAI over the GDPR’s transparency and lawful bases requirements. If businesses utilize generative AI and LLMs, they should be prepared to provide compliant privacy notices to data subjects, and either obtain their explicit consent or conduct a legitimate interest analysis prior to submitting any personal data to AI or LLM platforms. These data privacy risks also exist in the United States. The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (“CPRA”), also requires businesses to provide transparent privacy notices and privacy rights to individuals. In addition, CPRA has imported the GDPR concepts of data minimization and proportionality. Personal data processing needs to be “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected.”[3] Consequently, companies should be wary of taking existing datasets containing personal information and running them through generative AI systems, if this use runs contrary to the expectations of data subjects when they originally submitted the data. Companies may need to re-evaluate their privacy notices and provide further notices regarding AI processing. Furthermore, both GDPR and the CPRA (and similar US state laws) require covered organizations to give individuals the right to opt out of automated processing or automated decision-making, including profiling.[4] While California lawmakers have yet to issue regulations concerning automated decision-making, it will likely align with GDPR concepts. This means that individuals will have the right to opt-out of AIs making decisions that have legal effects, such as those surrounding employment, housing, or access to services and benefits. So, for those who are wondering, you can’t have chatbots all the way down — eventually, there needs to be a human decisionmaker at the end of the line.  
  • Who Owns the Data? Privacy Rights to Correct and Delete
Generative AI and LLMs also call into question the ownership and control of personal data. GDPR, CCPA, HIPAA, and GLBA, among other regulations, require covered entities to obtain contractual commitments with vendors that process personal data, PHI, or NPI on their behalf.[5] By giving company personal data to an AI system absent formal review, companies may be in violating these laws, trading away the privacy of their customers, and giving up valuable IP to third parties. To combat this problem, companies should always read the terms and privacy policies of any new AI and LLM tools to confirm, as an initial step:
  • The company owns all content provided to the AI system and any output generated by the AI
  • The AI provider will provide appropriate technical and organizational measures to protect personal data
  • The AI provider will maintain the confidentiality of data and limit use of the data to those purposes disclosed by the AI provider (and similarly, disclosed by the company to the relevant data subjects)
  • The AI provider will assist the company in responding to privacy requests, including those that require correct and deletion of personal data
  • The AI provider has appropriate data transfer mechanisms in place if personal data will cross borders
Assuming the generative AI or LLM terms and privacy policies cover the items above, the company may need to negotiate additional clauses under GDPR, CCPA, HIPAA, and GLBA depending on whether regulated data is provided to these platforms. If these contractual commitments do not exist, then companies should consider policies prohibiting the disclosure of personal or proprietary data — or else risk unauthorized access or even public disclosure of this information. Even if the terms and privacy policies guarantee the confidentiality of data, companies should still validate whether the generative AI or LLM model appropriately de-identifies or anonymizes personal data or proprietary data when it improves its language models. One of the most concerning issues with generative AI is its inexplicability — often the programmers creating the model do not even understand how the AI is generating its output. Thus, even if a data subject submits a deletion or correction request, it is unclear whether this request will be propagated through the model to remove/amend information that was previously fed into the model. Consequently, companies should test any generative AI or LLM model to confirm whether identifiable data is output from the model, based on test inputs. Finally, even if a company does not input personal information into a generative AI or LLM platform, employees may be tempted to use these platforms to research or create media about a known individual. Unfortunately, generative AI regularly creates false information about individuals. At best, this may trigger notification to data subjects under Article 14 of the GDPR “from which source the personal data originate, and if applicable, whether it came from publicly accessible sources” — so they are aware of the processing and can exercise any privacy rights. At worst, publication of this personal data may be grounds for a defamation lawsuit. Once again, companies need to implement robust identity verification and external validation of AI output concerning personal data.  
  • Children’s Privacy
The impact of generative AI and LLM products on children will be tremendous, given the ease and accessibility of chatbots, and the vast potential for personalized education, gaming, and social services. Companies operating in this space should pay close attention to children’s privacy rules that may impact their use or provision of generative AI and LLM products and services. California’s Age-Appropriate Design Code, modeled after the UK’s Age appropriate design code, for instance, requires data protection impact assessment and a “high level” of privacy for online providers of services, products, or features that are “likely to be accessed by children.”[6] This law covers children under the age of 18. In addition, COPPA – a US federal privacy law – requires clear and conspicuous privacy notices and affirmative consent by parents prior to collection of personal information from children under 13. Companies that offer products and services that may be attractive to children will need to implement these heightened privacy requirements, or in the alternative, implement robust age-gating techniques.   Regulatory Enforcement and Algorithmic Disgorgement Once an AI system is trained on bad data, can it be saved? According to the U.S. Federal Trade Commission (FTC) – perhaps not. While there is currently no comprehensive federal legislation in the United States governing privacy or AI, the FTC does have the ability to regulate “unfair and deceptive acts or practices in or affecting commerce.”[7] The FTC has interpreted its enforcement power to include unfair and misleading practices regarding the collection and use of personal data – including, for example, actions against Cambridge Analytica for harvesting of Facebook user data, and against GoodRx Holdings for its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies.[8] The FTC’s scrutiny of privacy and security practices extends to AI. In January 2021, the FTC entered a settlement order with photo storage service, Everalbum, over allegations that it deceived consumers about its use of facial recognition technology.[9]  While Everalbum allegedly represented that it would not apply facial recognition to users’ content unless they opted-in, it applied facial recognition technology by default for most users without any ability to turn this feature off. As part of the settlement order, the FTC required Everalbum to delete all facial recognition models or algorithms developed with Everalbum users’ photos or videos. More recently, the FTC required algorithmic destruction in an action against WW International, Inc., formerly known as Weight Watchers, and a subsidiary called Kurbo, Inc.[10] According to FTC Chair Lina Khan, “Weight Watchers and Kurbo marketed weight management services for use by children as young as eight, and then illegally harvested their personal and sensitive health information….Our order against these companies requires them to delete their ill-gotten data, destroy any algorithms derived from it, and pay a penalty for their lawbreaking.” Thus, AI companies face potential deletion or disgorgement of their algorithms if they collect personal data in an unfair or deceptive manner. While it may be tempting to amass larger and larger datasets to build the best algorithms, companies that rely on improper collection of data may find themselves bereft of their most valuable intellectual property.   Move Deliberately and Create Things Generative AI and LLMs do not operate in a vacuum. They derive from the voices, both inspired and insipid, from all corners of the world wide web. And they create fabulous and fabulously weird content. We encourage companies to take advantage of generative AI and LLMs to create the next generation of personalized education, medicine, and creative exploration. At the same time, we encourage companies to be mindful of the existing rules that protect our privacy, so that transparent and trustworthy AI can be the foundation of these new creations.  
[1] https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9870847 [2] https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9881490#english [3] Cal. Civ. Code Section 1798.100(c) [4] GDPR, Article 22; Cal. Civ. Code Section 1798.185(a)(16) [5] See, e.g., GDPR, Article 28; Cal. Civ. Code Section 1798.140(ag)(1); 45 CFR Section 164.504(e)(Business Associate requirements under HIPAA) [6] Cal. Civ. Code Section 1798.99.31(a) [7] 15 U.S.C. Sec. 45(a)(1) [8] See https://www.ftc.gov/news-events/topics/protecting-consumer-privacy-security/privacy-security-enforcement for a list of FTC enforcement actions concerning privacy and cybersecurity [9] https://www.ftc.gov/news-events/news/press-releases/2021/01/california-company-settles-ftc-allegations-it-deceived-consumers-about-use-facial-recognition-photo [10] https://www.ftc.gov/news-events/news/press-releases/2022/03/ftc-takes-action-against-company-formerly-known-weight-watchers-illegally-collecting-kids-sensitive
0
An image of the flag of Europe, which consists of twelve golden stars forming a circle on a blue field.

Meta fined US $1.3 billion for data transfer violations

Data Transfers, EEA & UK, GDPR, United States
The decade-long case on Meta’s transfer of EU personal data to the United States ended on May 22, 2023, with a € 1.2 billion (US $1.3 billion) GDPR fine against Meta.[1] In addition, the Irish Data Protection Commission (DPC) exercised the following corrective powers against Meta:
  • An order, pursuant to Article 58(2)(j) of the GDPR, requiring Meta Ireland to suspend any future transfer of personal data to the US within five months.
  • An order, pursuant to Article 58(2)(d) of the GDPR, requiring Meta Ireland to bring its processing operations into compliance with Chapter V of the GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EEA users transferred in violation of the GDPR, within six months.[2]
The fine and corrective orders came after the Irish DPC found that Meta violated the GDPR by failing to protect EU Facebook users’ data from US surveillance practices and spy agencies. “We are happy to see this decision after ten years of litigation,” said the Austrian privacy activist Max Schrems.[3] “The fine could have been much higher, given that the maximum fine is more than 4 billion and Meta has knowingly broken the law to make a profit for ten years. Unless US surveillance laws get fixed, Meta will have to fundamentally restructure its systems.” The US Surveillance Problem In its decision, the Irish DPC recognized that US intelligence authorities have seemingly unrestricted access to EU data flowing into the US, including data from Meta’s data transfers. This access is based on Section 702 FISA and on Executive Order 12333.[4] Section 702 FISA permits, following FISC approval, the surveillance of individuals who are not US citizens located outside of the US to obtain “foreign intelligence information.” Executive Order 12333 allows the NSA to access data “in transit” to the US, by accessing underwater cables on the Atlantic floor. When Meta transferred EU personal information to the US for processing, Section 702 FISA and Executive Order 12333 allowed US intelligence authorities to access that data for broad surveillance activities. This access threatens the fundamental rights and freedoms of EU data subjects. To protect EU data subjects from this threat, Meta relied on the Standard Contractual Clauses (SCCs) to provide a level of protection to EU data subjects that is essentially equivalent to that provided by EU law.[5] However, as this decision demonstrates, the SCCs fail to provide Meta’s EU users with an equivalent level of protection as provided by EU law. The SCCs & the Ongoing EU-US Data Transfer Issues The Irish DPC’s decision continues the decade-long struggle for the EU and US to establish a valid data transfer mechanism. In 2000, the US and EU developed the International Safe Harbor Privacy Principles to prevent private organizations within either country from accidentally losing or disclosing personal information. The European Commission decided that these principles complied with the EU Data Protection Directive, thereby allowing the flow of data between countries. However, the European Court of Justice declared in October 2015 that the Safe Harbor decision was invalid. Subsequently, in 2016, the US and EU developed the EU-US Privacy Shield, a legal framework for regulating and enabling transatlantic exchanges of personal data between the countries. Yet, as with Safe Harbor, the European Court of Justice declared Privacy Shield invalid in July 2020. This left companies to rely on contractual mechanisms, known as the SCCs, to transfer data between the countries without violating the GDPR. However, as the Irish DPC decision demonstrates, even though Meta relied on the SCCs, the SCCs failed to provide the protection necessary to ensure the transfer protected EU data subjects in accordance with the GDPR. Leaders within the US and EU announced in 2022 that a new data transfer framework called the Trans-Atlantic Data Privacy Framework (TADPF) had been agreed upon, but it is uncertain whether this framework will survive scrutiny from the European Court of Justice. The TADPF attempts to address the US surveillance problem by, in part, restricting access to EU personal information by US intelligence agencies to that which is “necessary and proportionate to protect national security.”[6] However, prominent privacy activists have expressed skepticism over how US surveillance can be “necessary and proportionate” under EU law.[7] In the meantime, without an international data transfer framework and with the sufficiency of the SCCs in question, companies will need to be cautious in how and when they transfer EU personal information from the EEA to the US. Meta to Appeal In response to the decision, Meta announced that it will appeal the ruling and the “unjustified and unnecessary fine.”[8] However, given the breadth of the decision, it seems unlikely that Meta will win on appeal. In the meantime, Meta announced that there would be “no immediate disruption” to Facebook in Europe, as the decision provides Meta with an implementation period. If that implementation periods runs out and Meta still lacks a valid legal mechanism by which to transfer data from the EEA to the US, then Meta may have to fragment their organization to ensure that EEA personal information largely remains stored in EEA databases.
[1] https://edpb.europa.eu/system/files/2023-05/final_for_issue_ov_transfers_decision_12-05-23.pdf [2] https://noyb.eu/sites/default/files/2023-05/DPC%20Press%20Release.pdf [3] https://noyb.eu/en/edpb-decision-facebooks-eu-us-data-transfers-stop-transfers-fine-and-repatriation [4] https://edpb.europa.eu/system/files/2023-05/final_for_issue_ov_transfers_decision_12-05-23.pdf, at 7.51. [5] https://www.metaverse.law/2020/11/30/eu-us-data-transfers-after-schrems-ii-european-commission-publishes-new-draft-standard-contractual-clauses/ [6] https://ec.europa.eu/commission/presscorner/detail/en/ip_22_7631 [7] https://noyb.eu/en/open-letter-future-eu-us-data-transfers [8] https://about.fb.com/news/2023/05/our-response-to-the-decision-on-facebooks-eu-us-data-transfers/
0
Logo for the European Commission.

The EU’s Digital Markets Act: Who it regulates, how to comply, and next steps

EEA & UK, GDPR, Resource
On October 12, 2022, the Digital Markets Act (DMA) was published in the Official Journal of the EU, thereby creating a new framework for regulating the European Union’s digital market.[1] The DMA seeks to prohibit certain unfair business practices by establishing rules and obligations for entities known as “gatekeepers,” which are large online platforms whose services have a significant impact on the EU internal market.[2] The DMA works in conjunction with its sibling law, the Digital Services Act (DSA), to create an online environment designed to protect the fundamental rights of users and to establish a level playing field for economic growth. However, the DMA — like the DSA and the General Data Protection Regulation (GDPR) — can apply internationally to companies based outside of the EU, so all large online platforms should be aware of what the DMA could mean for businesses that qualify as gatekeepers. Background On December 15, 2020, the DMA was proposed by the European Commission to the European Parliament and to the Council of the EU, alongside the DSA.[3] The DMA and the DSA seek to actualize Ursula von der Leyen’s call to regulate the EU’s digital market, thereby upgrading the liability, safety, and fairness of digital platforms.[4] On March 24, 2022 — after years of negotiations — the Parliament, the Council, and the Commission reached a consensus on key provisions, including the interoperability provisions for large messaging platforms and noncompliance penalties.[5] The text of the DMA was then made public on May 22, 2022.[6] From there, the DMA moved swiftly through the legislative process: on July 5, Parliament formally adopted it;[7] on July 19, the Council formally adopted it;[8] on September 14, the DMA was signed into law;[9] and on October 12, the adopted text was published in the Official Journal of the European Union, thereby setting it to come into force twenty days later.[10] To whom does the DMA apply? The DMA applies to “gatekeepers” that provide or offer “core platform services” to users in the Union, irrespective of whether the gatekeeper is located or established in the EU. A “core platform service” is broadly defined to include a wide range of Internet infrastructure and services, including:
  • Online search engines;
  • Online social networking services;
  • Video-sharing platform services;
  • Operating systems;
  • Web browsers;
  • Cloud computer services;
  • Online advertising services;
  • And more.
Given how broadly the DMA defines core platform services, the core question for most entities is whether their services reach enough EU individuals to establish them as a gatekeeper under the law. A “gatekeeper” is an entity that meets all of the following:
Statutory criteria: Presumed satisfied if:
  1. Has a significant impact on the EU internal market.
  1. Achieves an annual EU turnover of at least EUR 7.5 billion in each of the previous financial years, or have an average market capitalization or fair market value of at least EU 75 billion in the last financial year; and
 
  1. Provides the same core platform service in at least three Member States.
  1. Provides a core platform service that is an important gateway for business users to reach end users
  1. Provides a core platform service that in the last financial year has at least 45 million monthly active end users in the EU; and
 
  1. Has at least 10,000 yearly active business users established in the EU.
  1. Currently enjoys, or will foreseeably enjoy in the near future, an entrenched and durable position, in its operations.
  1. In each of the last three financial years:
    1. has provided a core platform service that has at least 45 million monthly active end users in the EU; and
    2. has at least 10,000 yearly active business users established in the EU.
The DMA puts the onus on companies and other entities to determine for themselves whether they satisfy the above requirements to be labeled a gatekeeper under the law. If an entity makes such a determination, they must notify the European Commission within two months after the thresholds are met. However, even if an entity fails to make such a notification, the Commission can determine for itself whether an entity is a gatekeeper. Can the Digital Markets Act apply to entities outside of the EU? Yes. The DMA applies to any gatekeeper that provides or offers core platform services to users in the Union, irrespective of whether the gatekeeper is located or established in the EU. However, providing or offering a core platform service is not sufficient in itself to establish an online platform as a covered gatekeeper. The online platform must satisfy all three of the bullet points above. And as the explanatory presumptions for each bullet demonstrate, the online platform must have a substantial number of EU users (e.g., 45 million monthly active end users in the EU). Thus, online platforms must be vigilant in monitoring the number of monthly users in the EU, because qualifying as a gatekeeper appears to hinge on the platform’s userbase reach. Of course, tracking this data must be done appropriately and with careful consideration, given that the online platform would also have to comply with the GDPR’s data minimization and purpose principles. Does the DMA treat all gatekeepers equally? No. The DMA prescribes a number of prohibitive and mandatory actions on all gatekeepers. These include:
  • Not combining personal data from the core platform service with personal data from any other core platform services, any other services provided by the gatekeeper, or with personal data from third-party services (Art. 5(2)(b)).
  • Not requiring users to sign in to other services in order to combine personal data (Art. 5(2)(d)).
  • Allowing business users, free of charge, to promote their offers and conclude contracts with customers outside the gatekeeper’s platform (Art. 5(4)).
  • Providing companies advertising on the platform with the daily information, free of charge, concerning each advertisement placed on the core platform (Art. 5(9)-(10)).
However, per Article 8, some obligations are subject to specification. The Commission, either on its own initiative or based on a submission by a gatekeeper, can open a procedure that will lead to the Commission specifying some measures that the gatekeeper must adopt in order to effectively comply with the DMA. The provisions subject to specification are found in Articles 6 and 7, and they include:
  • Allowing third parties to interoperate with the gatekeeper’s own services in certain situations (Art. 6(7)).
  • Allowing business users to access the data they generate in their use of the gatekeeper’s platform (Art. 6(10)).
  • Providing companies advertising on the platform with the tools necessary for advertisers and publishers to carry out their own independent verification of advertisements hosted by the gatekeeper (Art. 6(8)).
  • Not preventing users from uninstalling any pre-installed software or app, if they wish to (Art. 6(3)).
  • Not treating services and products offered by the gatekeeper itself more favorably in ranking than similar services or products offered by third parties on the gatekeeper’s platform (Art. 6(5)).
  • Not preventing consumers from linking up to businesses outside their platforms (Art. 6(6)).
This means that, while all gatekeepers must adhere with the DMA’s obligations, some gatekeepers may have specific instructions on how to satisfy the requirements within the context of that gatekeeper’s unique situation. Are the enforcement penalties harsher than the GDPR? Yes. Under the DMA, if the gatekeeper intentionally or negligently fails to comply with certain requirements, the Commission may impose a fine of up to 10% of the gatekeeper’s worldwide turnover in the preceding financial year. By contrast, GDPR violations can result in a fine of up to EUR 20 million or 4% of a company’s worldwide annual revenue from the preceding financial year, whichever is higher. And it’s worth recalling that gatekeepers are, by definition, extremely large companies serving multi-millions of users, so the company’s annual worldwide turnover would presumably be large as well. What are the next steps for the DMA? Within two months of May 2023, companies providing core platform services must notify the Commission and provide all relevant information for determining whether the company qualifies as a gatekeeper. The Commission will then have two months to decide whether to make such a designation. If a company is deemed a gatekeeper, the company will have six months to comply with the DMA’s rules and obligations.
[1] https://www.skadden.com/insights/publications/2022/10/eu-digital-markets-act-enters-into-force [2] https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/europe-fit-digital-age/digital-markets-act-ensuring-fair-and-open-digital-markets_en [3] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020PC0842 [4] https://digital-strategy.ec.europa.eu/en/policies/digital-services-act-package [5] https://www.engadget.com/europe-digital-markets-act-005742387.html [6] https://www.consilium.europa.eu/en/press/press-releases/2022/03/25/council-and-european-parliament-reach-agreement-on-the-digital-markets-act/ [7] https://www.europarl.europa.eu/news/en/press-room/20220701IPR34364/digital-services-landmark-rules-adopted-for-a-safer-open-online-environment [8] https://www.consilium.europa.eu/en/press/press-releases/2022/07/18/dma-council-gives-final-approval-to-new-rules-for-fair-competition-online/ [9] https://twitter.com/EP_SingleMarket/status/1570062248961363969 [10] https://www.consumerprivacyworld.com/2022/10/dma-eu-publishes-the-new-digital-markets-act/
0

Metaverse Law’s Lily Li to guest star on Threat Watch podcast to discuss risks of ChatGPT, generative AI, and LLMs

AI & Algorithms, Cybersecurity, EEA & UK, United States
Near the end of 2022, generative AI models became something of a sensation. Art-based models like Midjourney, DALL-E, and Stable Diffusion threw the art world into a panic, prompting companies to ban AI-generated art.[1] Models like ChatGPT—and its underlying GPT-3.5 and GPT-4 LLMs—seemingly invaded every social sphere, from academia[2] to big tech,[3] and prompted many to start asking, “Will AI replace us?”[4] Given all this buzz around generative AI and LLMs, it’s only natural to consider the IT and security risks stemming from these emerging technologies. Afterall, there have been numerous recorded instances of actors using ChatGPT to build malware,[5] to improve malware,[6] to send phishing emails,[7] and more. To discuss these topics, Metaverse Law’s founder Lily Li will join host Dr. Rebecca Wynn on BrightTALK’s Threat Watch podcast to discuss the many issues, risks, and concerns arising out of the use of AI. WHAT: Metaverse Law’s founder Lily Li will join host Dr. Rebecca Wynn on the Threat Watch podcast to discuss AI, chatbots, LLMs, and more. WHEN: March 30, 2023 — 12:00 pm ET WHERE: Online (with free registration) TOPICS:
  • Data leaking and misuse in the AI supply chain.
  • Data transfer issues resulting from the use of AI.
  • IT and cyber security concerns.
  • Social engineering stemming from AI.
  • And more!
Whether you are currently using or thinking about using AI in your business, you do not want to miss Lily’s discussion on the risks and issues arising from this technology.
[1] https://brushwarriors.com/art-websites-that-ban-ai/ [2] https://www.tidio.com/blog/ai-in-education/ [3] https://www.zdnet.com/article/how-to-use-chatgpt-to-write-code/ [4] https://www.forbes.com/sites/robtoews/2021/02/15/artificial-intelligence-and-the-end-of-work/?sh=75edd9c456e3 [5] https://www.hackread.com/chatgpt-blackmamba-malware-keylogger/ [6] https://blog.checkpoint.com/2023/02/07/cybercriminals-bypass-chatgpt-restrictions-to-generate-malicious-content/ [7] https://research.checkpoint.com/2022/opwnai-ai-that-can-save-the-day-or-hack-it-away/
1 2