Article

Baden-Wuerttemberg DPA updates guidance on processing personal data in relation to AI

Published Date
Nov 6 2024
Related people

On October 17, 2024, the DPA of Baden-Wuerttemberg (LfDI) updated its discussion paper on the legal bases for processing personal data in relation to artificial intelligence (AI) (the Paper). The Paper emphasises the importance of integrating data protection principles into the development and deployment of AI systems. It will be continuously updated, taking into account feedback provided to the LfDI.

In the Paper, the LfDI notes that: 

  • In the context of AI, a natural person may be identified from the use of numbers to code and display data. The provider of an AI system must therefore assess whether third parties can receive personal data as the output with certain prompts and true or fictitious statements about individuals by the AI system should be attributed to the provider of the AI system if these prompts can reasonably be expected; 
  • The AI model itself could be regarded as personal data if model inversion attacks or membership inference attacks are possible;
  • It is necessary to use a detailed factual analysis in the context of AI to determine data protection roles;
  • There are several possible legal bases for carrying out data processing activities in relation to AI systems (including consent and performance of a contract) throughout the lifecycle of an AI system, from training to deployment (although the paper has a particular focus on legitimate interests). The LfDI recognises that legitimate interests are of particular importance in practice and provide a necessary degree of flexibility in relation to AI systems and discusses several legitimate interests in the context of AI systems, including the interest in developing an AI system or offering better and more innovative products. The LfDI notes that a detailed legitimate interest assessment which takes into account factors including the level of robustness of the machine learning procedure against manipulation and safeguards to ensure proper training is required in this context; 
  • In light of the widely publicised technological progress during recent years, data subjects may reasonably expect that if their data is published on the internet, it can be reused by third parties for other purposes; and
  • For accountability purposes organisations must be able to demonstrate compliance with data protection principles. Data processing activities in relation to AI use should be documented in records of processing activities, and a data protection impact assessment should be carried out for processing activities involving AI. 

The Paper also includes a checklist for data processing and AI. The first version of the Paper is available in English here, and the updated version in German here.

Related capabilities