This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Norton Rose Fulbright logo
  • Global
  • About
    • Back
    • About
    • Our firm
      • Back
      • Our firm
      • Clients
      • Global coverage
      • Vision, culture and people
      • Governance structure
      • Risk management
      • NRF Transform
      • Alumni
    • Diversity, Equity & Inclusion
      • Back
      • Diversity, Equity & Inclusion
      • Our people
      • Recognition
      • Governance
    • Corporate responsibility
      • Back
      • Corporate responsibility
      • Pro bono
      • Volunteering
      • Fundraising
      • Sustainable practice
      • Global charitable initiatives
    • Photo montage
      RE:

      Read our magazine
  • People
  • Services
    • Back
    • Services
    • Services A-Z
    • Key industries
      • Back
      • Key industries
      • Consumer markets
      • Energy, infrastructure and resources
      • Financial institutions
      • Life sciences and healthcare
      • Technology
      • Transport
    • Practices
      • Back
      • Practices
      • Antitrust and competition
      • Banking and finance
      • Bankruptcy, financial restructuring and insolvency
      • Climate change and sustainability
      • Consulting
      • Corporate, M&A and securities
      • Employment and labor
      • Energy
      • Environmental, social and governance (ESG)
      • Financial services and regulation
      • Information governance, privacy and cybersecurity
      • Intellectual property
      • Litigation and disputes
      • Private equity and venture capital
      • Projects
      • Real estate
      • Regulation and investigations
      • Risk advisory
      • Tax
      • Banking and finance
      • Climate change and sustainability
      • Corporate, M&A and securities
      • Energy
      • Financial services and regulation
      • Intellectual property
      • Private equity and venture capital
      • Real estate
      • Risk advisory
    • NRF Transform
    • Transform image

      Find out more
  • Insights
    • Back
    • Insights
    • NRF InstituteProfessional developmentResources and tools
    • PublicationsBlogsVideos
    • EventsWebinarsPodcasts
    • colorful light particles
      Sustainability and ESG

      Visit the hub
  • News
    • Back
    • News
    • Press releases
    • Market recognitions
    • Media information
  • Locations
  • Careers
    • Back
    • Careers
    • Graduates and students
    • Search current vacancies
      • Back
      • Search current vacancies
  • Change
  • Global
    • Back
    • global site
    • North America
      • Canada (English)
      • Canada (Français)
      • United States
    • Latin America
      • Latin America
      • Brazil
      • Mexico
    • Europe
      • Belgium
      • Deutschland (Deutsch)
      • France
      • Germany (English)
      • Greece
      • Italy
      • Luxembourg
      • Poland
      • The Netherlands
      • Turkey
      • United Kingdom
    • Middle East
    • Africa
      • Africa
      • Burundi
      • Kenya
      • Morocco
      • South Africa
      • Uganda
      • Zimbabwe
    • Asia Pacific
      • Australia
      • China
      • Hong Kong SAR
      • Indonesia
      • Japan
      • Singapore
      • Thailand
    • Regional practices
      • India
      • Israel
      • Korea
      • Marshall Islands
      • Nordic region
      • Pakistan
      • Vietnam
Lake in the forest

Connections

Insights, perspectives and viewpoints from our lawyers on topical issues

All Posts Subscribe
print-logo
12/18/2024 4:48:29 PM | 2 minute read

Data protection and training AI models: Deployers must assess whether the models they use were developed lawfully

1
95

Get in touch

Avatar
Marcus Evans
Head of Information Governance, Privacy and Cybersecurity, EMEA
Avatar
Rosie Nance
Senior Knowledge Lawyer

Get in touch

Avatar
Marcus Evans
Head of Information Governance, Privacy and Cybersecurity, EMEA
Avatar
Rosie Nance
Senior Knowledge Lawyer
1
95

The European Data Protection Board (EDPB) was asked by the Irish supervisory authority to issue an Opinion under Article 64(2) General Data Protection Regulation (GDPR) on AI models and processing personal data (the Opinion). The Opinion sets out the EDPB’s answers to the four questions the Irish supervisory authority put to it.



1. When and how AI models can be considered ‘anonymous’ 
The EDPB considers that AI models trained with personal data cannot, in all cases, be considered anonymous. Anonymity must be assessed on a case-by-case basis. For an AI model to be considered anonymous, both (1) the likelihood of direct (including probabilistic) extraction of personal data regarding individuals whose personal data were used to develop the model and (2) the likelihood of obtaining, intentionally or not, such personal data from queries, should be insignificant, taking into account ‘all the means reasonably likely to be used’ by the controller or another person.  It does not refer to the discussion paper from the Hamburg Commissioner for Data Protection and Freedom of Information and the view that LLMs do not store personal data. The EDPB has flagged that it plans to issue guidelines on anonymisation, pseudonymisation, and data scraping in the context of generative AI.

2. and 3. Demonstrating the appropriateness of legitimate interests as a legal basis for (2) developing and (3) deploying an AI model 
The Opinion highlights several considerations, including factors that will impact on the balancing test.

4. If an AI Model has been found to have been created, updated or developed using unlawfully processed personal data, what is the impact of this, if any, on the lawfulness of the continued or subsequent processing or operation of the AI model? 
The EDPB noted that where a model retained personal data, another controller deploying that model would need to carry out an appropriate assessment to ensure the AI model was not developed by unlawfully processing personal data. The assessment should take account of the risks raised in the deployment phase in terms of the level of detail, and should look at the source of the personal data and whether the processing in the development phase was subject to a finding of infringement.

 

The finding on the fourth question will be important for controllers using AI models, particularly generative AI. The EDPB has highlighted that controllers deploying AI models may not be able to comply with their GDPR obligations if the model was not developed lawfully – even where the provider is a third-party supplier. Whether the deployer can use the model lawfully will be assessed on a case-by-case basis, taking account of the assessment carried out by the deployer.

Organisations need to ensure they have an AI governance programme in place and that under that programme, all AI models and AI systems are assessed appropriately before deployment. They should also make sure that the process captures everything it needs to capture – for example, new AI functionalities for existing tools. Policies should also be in place to address shadow IT, as the promise of productivity gains may tempt staff into trying tools that have not been assessed at all. 

These assessments will also be important to ensure no prohibited use of AI is being made, as the AI Act’s prohibitions apply from 2 February 2025 (with fines of 7% worldwide turnover for non-compliance), and to catch any other AI Act obligations. But the GDPR obligations covered in the Opinion apply now – the EDPB is confirming the position under obligations that already are in place.

cybersecurity privacy protection concept. information security and encryption, secure access to user's personal information, secure Internet access, cybersecurity.

Subscribe to our Connections insights Sign-up now

Tags

technology, artificial intelligence, data privacy

Get in touch

Avatar
Marcus Evans
Head of Information Governance, Privacy and Cybersecurity, EMEA
Avatar
Rosie Nance
Senior Knowledge Lawyer

Get in touch

Avatar
Marcus Evans
Head of Information Governance, Privacy and Cybersecurity, EMEA
Avatar
Rosie Nance
Senior Knowledge Lawyer
Key takeaways from MIPIM 2025: Future-proofing data centres
3/25/2025 4:21:32 PM

Key takeaways from MIPIM 2025: Future-proofing data centres

By Kirsty Harrower
As the digital infrastructure landscape continues to evolve, increasing AI workloads present both challenges and opportunities for data...
1
35
36

Latest Insights

Summer reading arrived early: European Commission aims for balancing act in its review of merger guidelines
5/9/2025 8:36:59 AM

Summer reading arrived early: European Commission aims for balancing act in its review of merger guidelines

By Alexandra Rogers Sabine Holinde
25
25
Shaping future successes: My takeaways from "An evening with Annie Vernon"
5/8/2025 1:38:17 PM

Shaping future successes: My takeaways from "An evening with Annie Vernon"

By Emma Humphries
Maritime decarbonisation: Current issues facing shipping companies
5/1/2025 1:36:52 PM

Maritime decarbonisation: Current issues facing shipping companies

By Kelli Bodal Hansen Philip Roche
13
13

Explore our site

  • About
  • Careers
  • Diversity, equity and inclusion
  • People
  • Services
  • Insights
  • News

Key industries

  • Consumer markets
  • Energy, infrastructure and resources
  • Financial institutions
  • Life sciences and healthcare
  • Technology
  • Transport

Locations

  • Global coverage

Norton Rose Fulbright © 2024. All Rights Reserved.

  • Amsterdam
  • ●
  • Athens
  • ●
  • Austin
  • ●
  • Bangkok
  • ●
  • Beijing
  • ●
  • Brisbane
  • ●
  • Brussels
  • ●
  • Bujumbura**
  • ●
  • Calgary
  • ●
  • Canberra
  • ●
  • Cape Town
  • ●
  • Casablanca
  • ●
  • Dallas
  • ●
  • Denver
  • ●
  • Dubai
  • ●
  • Durban
  • ●
  • Düsseldorf
  • ●
  • Frankfurt
  • ●
  • Hamburg
  • ●
  • Harare**
  • ●
  • Hong Kong SAR
  • ●
  • Houston
  • ●
  • Istanbul
  • ●
  • Jakarta*
  • ●
  • Johannesburg
  • ●
  • Kampala**
  • ●
  • London
  • ●
  • Los Angeles
  • ●
  • Luxembourg
  • ●
  • Melbourne
  • ●
  • Mexico City
  • ●
  • Milan
  • ●
  • Minneapolis
  • ●
  • Monaco
  • ●
  • Montréal
  • ●
  • Munich
  • ●
  • Newcastle
  • ●
  • New York
  • ●
  • Nairobi**
  • ●
  • Ottawa
  • ●
  • Paris
  • ●
  • Perth
  • ●
  • Piraeus
  • ●
  • Québec
  • ●
  • Riyadh*
  • ●
  • San Antonio
  • ●
  • San Francisco
  • ●
  • São Paulo
  • ●
  • Shanghai
  • ●
  • Singapore
  • ●
  • St. Louis
  • ●
  • Sydney
  • ●
  • Tokyo
  • ●
  • Toronto
  • ●
  • Vancouver
  • ●
  • Warsaw
  • ●
  • Washington DC *associate office **alliance
  • Legal notices and disclaimers
  • Impressum
  • Standard terms
  • Blog network terms and conditions
  • Cookies policy
  • Privacy notice
  • Website access conditions
  • Fraud alerts
  • Modern Slavery Statements
  • Health plan machine readable files
  • Anti-Facilitation of Tax Evasion Statement
  • Suppliers
  • History
  • Remote access
  • Sitemap
Offices and locations

Norton Rose Fulbright © 2024. All Rights Reserved.

  • Amsterdam
  • ●
  • Athens
  • ●
  • Austin
  • ●
  • Bangkok
  • ●
  • Beijing
  • ●
  • Brisbane
  • ●
  • Brussels
  • ●
  • Bujumbura**
  • ●
  • Calgary
  • ●
  • Canberra
  • ●
  • Cape Town
  • ●
  • Casablanca
  • ●
  • Dallas
  • ●
  • Denver
  • ●
  • Dubai
  • ●
  • Durban
  • ●
  • Düsseldorf
  • ●
  • Frankfurt
  • ●
  • Hamburg
  • ●
  • Harare**
  • ●
  • Hong Kong SAR
  • ●
  • Houston
  • ●
  • Istanbul
  • ●
  • Jakarta*
  • ●
  • Johannesburg
  • ●
  • Kampala**
  • ●
  • London
  • ●
  • Los Angeles
  • ●
  • Luxembourg
  • ●
  • Melbourne
  • ●
  • Mexico City
  • ●
  • Milan
  • ●
  • Minneapolis
  • ●
  • Monaco
  • ●
  • Montréal
  • ●
  • Munich
  • ●
  • Newcastle
  • ●
  • New York
  • ●
  • Nairobi**
  • ●
  • Ottawa
  • ●
  • Paris
  • ●
  • Perth
  • ●
  • Piraeus
  • ●
  • Québec
  • ●
  • Riyadh*
  • ●
  • San Antonio
  • ●
  • San Francisco
  • ●
  • São Paulo
  • ●
  • Shanghai
  • ●
  • Singapore
  • ●
  • St. Louis
  • ●
  • Sydney
  • ●
  • Tokyo
  • ●
  • Toronto
  • ●
  • Vancouver
  • ●
  • Warsaw
  • ●
  • Washington DC *associate office **alliance
Policies and disclaimers
  • Legal notices and disclaimers
  • Impressum
  • Standard terms
  • Blog network terms and conditions
  • Cookies policy
  • Privacy notice
  • Website access conditions
  • Fraud alerts
  • Modern Slavery Statements
  • Health plan machine readable files
  • Anti-Facilitation of Tax Evasion Statement
  • Suppliers
  • History
  • Remote access
  • Sitemap
Visit our global site, or select a location
North America
  • Canada (English)
  • Canada (Français)
  • United States
Latin America
  • Brazil
  • Mexico
Europe
  • Belgium
  • Deutschland (Deutsch)
  • France
  • Germany (English)
  • Greece
  • Italy
  • Luxembourg
  • Poland
  • The Netherlands
  • Turkey
  • United Kingdom
Middle East
Africa
  • Burundi
  • Kenya
  • Morocco
  • South Africa
  • Uganda
  • Zimbabwe
Asia Pacific
  • Australia
  • China
  • Hong Kong SAR
  • Indonesia
  • Japan
  • Singapore
  • Thailand
Regional practices
  • India
  • Israel
  • Korea
  • Marshall Islands
  • Nordic region
  • Pakistan
  • Vietnam