0
An image of the flag of Europe, which consists of twelve golden stars forming a circle on a blue field.

EDPB Opinion on AI Models and GDPR Principles: Key Takeaways

In December 2024, the European Data Protection Board (EDPB) issued an Opinion in response to a request from the Irish supervisory authority, focusing on the application of GDPR principles in the context of AI models. The Irish supervisory authority posed three specific questions:
  1. When and how can an AI model be considered “anonymous”?
  2. What is the appropriateness of legitimate interest as a legal basis for AI deployment and development?
  3. What are the consequences of unlawful processing of personal data on subsequent operations of the AI model?
Through its answers, the EDPB provided key guidance on how AI models interact with fundamental rights to privacy and data protection established in the GDPR.

Anonymous AI Models

According the EDPB, “[f]or a model to be anonymous, it should be very unlikely 1) to directly or indirectly identify individuals whose data was used to create the model, and 2) to extract such personal information from the model through queries.” While anonymous data can help mitigate privacy concerns, it does not automatically make the AI model completely exempt from GDPR compliance. When a model is claimed to be anonymous, supervisory authorities will evaluate the claims of anonymity on a case-by-case basis, considering “all the means likely to be used” by the controller or a user. The Opinion states that supervisory authorities should review the documentation provided by the controller when assessing if the model is truly anonymous. The EDPB outlines methods that the controller may use to demonstrate anonymity, which may include: 1) reducing the amount of personal data used during training, 2) taking steps to ensure this data cannot be identified, and 3) utilizing technical safeguards to prevent data extraction from the AI model using prompts or queries. Key Takeaway: If a business claims an AI model relies on anonymous data, the claims of anonymity should be substantiated on a case-by-case basis with sufficient evidence and documentation. To do this, businesses with allegedly anonymous AI models may need to implement technical measures to limit the collection of data, reduce the likelihood of data being identifiable, protect against that data being extracted by users during deployment, and create documentation capable of demonstrating these efforts.

Legitimate Interest as a Legal Basis

Under the GDPR, a legitimate interest may constitute a legal basis for companies to process personal data when they have a justifiable reason to do so (beyond obtaining consent). However, the legitimate interest should be balanced against the data subject’s rights and interests, which requires careful consideration and justification when processing information from data subjects. The Opinion provides a framework to assess if a legitimate interest can be a valid legal basis for processing personal data in AI development and deployment. The framework is comprised of a three-step test:
  1. Identify the legitimate interest pursued by the controller;
  2. Assess the necessity of the processing for purposes of the legitimate interest; and,
  3. Balance the legitimate interests against the rights and freedoms of the data subjects.
When conducting this test, the controller should be careful to identify an interest that is lawful, clearly articulated, and non-speculative. For example, a legitimate interest may be to develop an AI model’s conversational agent or to improve threat detection in an information system. The controller should also adhere to GDPR data minimization principles, which state that the processing activities must be proportionate and in line with only what is necessary to achieve the legitimate interest. Finally, controllers should conduct a nuanced balancing test. This test considers the unique circumstances of each case, which may include the data subject’s interest in retaining control over their data, personal benefits, or socioeconomic interest. The Opinion notes, the more precisely an interest is defined in relation to the purpose of the processing, the more precise the estimation of benefits and risks will be. By employing this framework, developers and deployers should be able to decrease the likelihood that their AI models are disproportionately infringing on individual privacy rights and better align their AI practices with GDPR requirements. Key Takeaway: The three-step analysis, according to the Opinion, is crucial to improving compliance for organizations relying on legitimate interest as a legal basis for processing in AI development or deployment. Organizations relying on legitimate interest in this AI context should review their processing activities to determine whether they are proportionate, transparent, and aligned with GDPR principles—like data minimization—to justify the reliance on legitimate interest as a legal basis for processing.

Consequences of Unlawful Processing

The Opinion notes that supervisory authorities enjoy discretionary powers to investigate and assess violations, and they can choose appropriate remedial measures based on the context of the case. However, the EDPB also provides guidance for the supervisory authorities, based on three scenarios.
  1. In the first scenario, personal data is retained in the AI model. The Opinion states that supervisory authorities will need to consider the surrounding circumstances of the AI model to determine if the development and deployment phases of the model involve different legitimate purposes for processing. If so, each should be examined separately.
  2. In the second scenario, personal data is retained in the model and is processed by another controller during deployment. In this instance, the supervisory authorities should determine if the deploying controller conducted an appropriate assessment to demonstrate accountability with Articles 5(1)(a) and 6 of the GDPR. This assessment should show that the AI model was not developed by unlawfully processing personal data.
  3. In the final scenario, a controller unlawfully processes personal data to develop the AI model, and then anonymizes the data before processing it in the context of deployment. The Opinion states that, if it can be demonstrated to the supervisory authorities that the deployment of the AI model does not entail the processing of personal data, then the GDPR does not apply. Therefore, the unlawfulness of the initial processing in development should not impact the deployment operation of the model.
While supervisory authorities do have substantial discretion in oversight of processing activities, the scenarios highlighted by the EDPB show that the development and deployment phases, while connected, may need to be evaluated independently. Key Takeaway: Organizations should proactively ensure compliance at both the development and deployment stages of an AI model. Supervisory authorities will likely use the above examples as guidance, emphasizing the important of demonstrating lawful practices through each stage of the model. The EDPB’s Opinion is an important guide for organizations navigating the intersection of AI and data privacy law. By addressing issues around anonymous AI models, legitimate interest, and lawful processing in development and deployment stages, the Opinion emphasizes responsible AI development. As AI technologies continue to advance, businesses should be aware of the ways supervisory authorities are overseeing their AI models. The insights provided by the EDPB provide a foundation to help businesses to advance and develop new AI models, while also helping to safeguard and protect the rights of individuals.
0

Upcoming Webinar: The EU AI Act: How Will It Affect Your Business?

On Thursday, December 12, 2024 at 11am ET, DataCamp will host a live webinar titled “The EU AI Act: How Will It Affect Your Business?” The speakers are Dan Nechita, Lead Technical Negotiator for the EU AI Act on behalf of the European Parliament, and Lily Li, Data Privacy, Cybersecurity & AI Lawyer and Founder of Metaverse Law. They will cover AI governance and risk management requirements under the EU AI Act and new US AI law. Attendees will:
  • Learn about the scope and requirements of the EU AI Act and other AI legislation.
  • Understand the risk classification system and the requirements for AI literacy.
  • Learn how to comply with regulations and the consequences of non-compliance.
  Join us for this informational webinar by registering at the DataCamp website using this hyperlink.
0
American dollars and European Euros stacked on top of each other.

Cybersecurity Laws for the Fintech Industry

In our modern digital landscape, the intersection of cybersecurity, finance and tech has become a focal point for regulators. With the rise of fintech, insurtech, personal financial management, alternative investments, and complex financial APIs, legal frameworks are evolving to keep pace.   Below are five notable cybersecurity legal updates within the financial sector, impacting financial institutions, fintech companies, and their service providers both domestically and abroad:  
  1. EU’s Digital Operational Resilience Act (DORA);
  2. SEC Amendments to Regulation S-P;
  3. FTC Standards for Safeguarding Consumer Information;
  4. Nacha’s Updates to Operating Rules; and
  5. CFPB’s Rulemaking on Personal Financial Data Rights.
 
  1. EU’s Digital Operational Resilience Act (DORA)
The Digital Operational Resilience Act (DORA) is an EU regulation that applies to financial entities and third parties that support them. DORA requires that applicable organizations must “follow rules for the protection, detection, containment, recovery and repair capabilities against [information and communication technology]-related incidents,” per the DORA website.   When Does it Take Effect? DORA entered into force on January 16, 2023, and will apply to each member state of the EU beginning January 17, 2025.   Who Does This Apply to? Financial Entities: Under DORA, financial entities are defined broadly to include banks, insurance providers, investment firms, payment institutions, credit institutions and credit rating agencies, and more.   ICT Third-Party Service Providers: DORA’s scope also includes Information Communication Technology (ICT) third-party service providers.  ICT third-party service providers are companies that provide digital and data services to financial entities. These providers include hardware providers as well as cloud computing services, software, data analytics services and providers of data center services. After identification, these providers are then be deemed critical or non-critical, with critical ICT service providers subject to additional requirements.   Key Takeaways DORA establishes uniform requirements regarding network security and information systems that support financial entities.   To establish this uniform framework, the Act requires:  
  • Managing risk of ICT resources. Financial entities are required to create and maintain an internal governance and control framework for the effective management of ICT risk.
 
  • Reporting on ICT-related incidents and major operational or security payment-related incidents. Financial entities are required to report major ICT-related incidents, and to voluntarily report cyber threats to competent authorities.
 
  • Digital operational resilience testing. Financial entities are required to establish, maintain and review a sound and comprehensive digital operational resilience testing program, including a range of assessments, tests, methodologies, practices and tools.
 
  • Contracting with ICT third-party service providers. Financial entities and ICT third-party service providers are required to clearly set out relevant rights and obligations in writing, including specific elements defined in the Act. Additionally, critical ICT-providers are subject to additional requirements.
 
  • Implementing measures for management of ICT third-party risk. Financial entities are required to adopt, and regularly review, a strategy on ICT third-party risk including a register of information related to the required contractual agreements between financial entities and ICT third-party service providers.
  Because the definition of “ICT third-party service providers” includes a range of entities that provide digital and data services, it is important that both financial entities and providers of ICT services are familiar with the requirements imposed by DORA.  
  1. SEC Amendments to Regulation S-P
Regulation S-P is a set of rules created by the Security and Exchange Commission (SEC). It requires certain parties to adopt written policies and procedures for the protection of customer records and information. The amendments to the Regulation are designed to address the expanded use of technology and associated risks that have emerged since the Regulation’s original adoption in 2000.   When Does it Take Effect? The SEC adopted the amendments to Regulation S-P on May 16, 2024, with an effective date of August 2, 2024. Larger entities will need to comply by December 3, 2025 while smaller entities will need to comply by June 1, 2026.   Who Does This Apply To? Regulation S-P applies to “covered institutions”, including broker-dealers, registered investment companies, as well as registered investment advisors (RIAs), funding portals, and transfer agents registered with the SEC or another appropriate regulatory agency.   Key Takeaways: The amendments to Regulation S-P modernize the rules regarding the treatment of consumers’ nonpublic personal information by imposing privacy-related protections.   Among other things, the amended Regulation requires:  
  • Adopting an incident response program. Covered institutions must adopt written policies and procedures for incident response programs to handle unauthorized access of information. This policy should be reasonably designed to detect, respond to, and recover from unauthorized access or use of customer information.
 
  • Updating consumer notification protocols. As part of the required incident response programs, covered institutions are required to notify consumers whose sensitive information was or is reasonably likely to have been accessed or used without authorization. This notice must be as soon as reasonably practicable, but no later than 30 days after the Covered Institution has become aware of the unauthorized access.
 
  • Providing oversight of service providers. Covered institutions are required to establish, maintain and enforce written policies that are reasonably designed to require oversight – including through monitoring of service providers to ensure that any individuals impacted by breach of sensitive information receive any required notices.
 
  • Expanding the scope of the Regulation. The amended Regulation aligns more closely to the FTC’s Safeguards Rule. Both rules apply to “customer information,” defined as “any record containing nonpublic personal information” about a customer of a financial institution. Additionally, the amendments broaden the group of customers whose information is protected under this Regulation.
 
  • Updating recordkeeping and annual privacy notices. The amended Regulation will add requirements to certain covered institutions to maintain written documentation of compliance. Additionally, certain covered institutions must provide a clear and conspicuous privacy notice at least annually during the customer relationship.
   
  1. FTC Standards for Safeguarding Consumer Information
The Federal Trade Commission’s (FTC’s) Standards for Safeguarding Consumer Information (the Safeguards Rule) is a set of regulations that requires certain financial institutions to protect consumer information.   When Does it Take Effect? In October 2023, the FTC announced the revised provisions of the Safeguards Rule, and the Rule took effect on May 13, 2024.   Who Does This Apply To? The Safeguards Rule applies to “financial institutions” that are covered by the FTC’s jurisdiction. This includes mortgage and payday lenders, finance companies, mortgage brokers, account services, check cashers, and investment advisors that are not required to register with the FTC, among others. This rule does not apply to those financial institutions subject to the authority of another regulator under §505 of the Gramm-Leach-Bliley Act.   Additionally, there are exemptions to this rule, including financial institutions that maintain consumer information concerning fewer than 5,000 consumers.   Key Takeaways The Safeguards Rule requires financial institutions to develop and maintain an information security program to protect consumer information. The amendments to the Safeguards Rule require entities to report data and security breaches affecting 500 people or more.   Among other things, the Safeguards Rule requires:  
  • Implementation of a security program. Financial institutions are required to develop, implement, and maintain a comprehensive security program. This program should be appropriate to the size, complexity, nature and scope of activities, and sensitivity of consumer information. The FTC Safeguards Rule also imposes minimum security controls on financial institutions, including but not limited to secure development, encryption and MFA.
 
  • Notifying the FTC. The amendment requires financial institutions to notify the FTC as soon as possible, and no later than 30 days after discovery, of a security breach involving at least 500 consumers.
 
  1. Nacha’s Updates to Operating Rules
The National Automated Clearing House Association (Nacha) Operating Rules govern how the Automated Clearing House (ACH) Network functions. The Nacha Rules cover all ACH payments, providing guidelines for securely storing, accessing, and transmitting sensitive customer information.   When Does it Take Effect? The changes to the Nacha Operating Rules became effective on October 1, 2024.   Who Does This Apply To? The Nacha Operating Rules apply to entities that collect and store non-public sensitive information in ACH transactions, including bank account and routing numbers, social security numbers, and driver’s license numbers, among other information.   Key Takeaways In 2024, the Nacha Operating Rules underwent amendments as part of a larger risk management package. These amendments are intended to reduce fraud and improve the recovery funds after fraud has occurred.   Among other things, the amendments to the Rules include:  
  • Allowing financial institutions to return entries via R17. A receiving depository financial institution (RDFI) may, but is not required, to use return code R17 to return an entry it believes is fraudulent. This amendment defines the return code for this use and is designed improve the recovery of funds that originated from fraud.
 
  • Expanding the uses of Request for Return. An originating depository financial entity (ODFI) may request a return from the RDFI for any reason. Under this amendment, the ODFI would still indemnify the RDFI for compliance with the request, and compliance by the RDFI remains optional.
 
  • Creating additional funds availability exceptions. This amendment provides RDFIs with an additional exception from the existing funds availability requirements, including credit entries that the RDFI suspects are fraudulent. This rule is intended to improve the recovery of funds obtained by fraud.
 
  • Modifying the timing of Written Statement of Unauthorized Debit (WSUD). While the rule previously allowed that a WSUD could be date on or after the Settlement Date of Entry, this amendment will allow a WSUD to be signed and dated by the receiver on or after the date on which the entry is presented to the receiver – even if the debit has not yet been posted to the account.
 
  • Requiring RDFI to return unauthorized debit. When returning a consumer debit as unauthorized, the RDFI must make the return by the sixth banking day following the completion of its review of the consumer’s signed WSUD. This prompt return will is intended to alert the ODFI of potential issues, and is intended to improve the recovery of funds and occurrence of future fraud.
   
  1. CFPB’s Rulemaking on Personal Financial Data Rights
The Consumer Financial Protection Bureau (CFPB) issued a final Rule to carry out the personal financial rights established by the Consumer Financial Protection Act of 2010 (CFPA).  This Rule allows consumers to access account data controlled by certain providers of consumer financial products in a safe, secure manner.   When Does it Take Effect? The data providers covered under this Rule must comply with the requirements in phases: the largest institutions will have to comply by April 1, 2026, while the smallest institutions must comply by April 1, 2030.   Who Does This Rule Apply To? Under this Rule, a “data provider” is required to make the covered data available, in electronic form, to consumers and certain authorized third parties.   A “data provider” includes depository institutions, such as credit unions, and non-depository institutions that issue credit cards, hold transaction accounts, issue devices to access an account, or provide other types of payment facilitation products or services. However, the rule does not apply to certain small depository institutions.   Key Takeaways This Rule enables consumers and authorized third parties to access consumer account information. This enables account holders to make more informed and freely made decisions regarding their providers.   Among other things, the Rule requires:  
  • Disclosing certain information. Data providers must provide certain data – including information about transactions, costs, charges, and usage – available to consumers and authorized third parties upon request.
 
  • Adhering to disclosure requirements. Disclosures must be made in a standardized and machine-readable format and in a commercially reasonable manner, among other disclosure requirements.
 
  • Banning “screen scraping” by third parties. A data provider cannot comply with the requirement to make certain data available to third parties by allowing the third party to use “screen scraping” – an access method using consumer credentials to log in to the consumer account to retrieve data.
1 2