European Data Protection Supervisor Issues New Guidelines for Generative AI Compliance

Written by Jeremy Werner

Jeremy is an experienced journalists, skilled communicator, and constant learner with a passion for storytelling and a track record of crafting compelling narratives. He has a diverse background in broadcast journalism, AI, public relations, data science, and social media management.
Posted on 06/06/2024
In News

In a significant move to ensure data protection in the rapidly evolving field of artificial intelligence, the European Data Protection Supervisor (EDPS) has released comprehensive guidelines aimed at EU institutions, bodies, offices, and agencies (EUIs) for the use of generative AI systems. These guidelines are designed to help EUIs navigate the complex landscape of data protection while leveraging generative AI technologies.


Generative AI, a subset of AI that uses specialized machine learning models to create a variety of outputs such as text, images, and audio, has seen widespread adoption across various sectors. However, the use of these systems comes with significant risks, particularly concerning data protection and privacy. The new EDPS guidelines provide practical advice and instructions to ensure compliance with Regulation (EU) 2018/1725, which governs the processing of personal data by EU institutions.


The guidelines are structured to address key aspects of generative AI use, starting with a clear definition of what constitutes generative AI. According to the EDPS, generative AI systems rely on foundation models that serve as the core architecture for more specialized applications. These models are trained on large datasets, often containing publicly available information, to generate outputs in response to user inputs.


One of the central tenets of the guidelines is the emphasis on data minimization. The EDPS advises EUIs to limit the collection and processing of personal data to what is necessary for the intended purpose. This principle should be applied throughout the lifecycle of the AI system, from training to deployment, ensuring that only relevant data is used and that it is handled responsibly.


Another crucial aspect covered by the guidelines is the necessity of conducting Data Protection Impact Assessments (DPIAs) before deploying generative AI systems. The EDPS underscores that DPIAs are essential for identifying and mitigating risks associated with the processing of personal data. These assessments should be carried out in consultation with Data Protection Officers (DPOs) to ensure compliance with data protection regulations and to safeguard individuals’ rights.


The guidelines also address the role of DPOs in the development and deployment of generative AI systems. DPOs are tasked with informing and advising on data protection obligations, monitoring compliance, and acting as points of contact for data subjects and the EDPS. Their involvement is crucial in ensuring that generative AI systems are developed and used in a manner that respects data protection principles.


In terms of transparency, the EDPS highlights the importance of informing individuals about the processing of their personal data. EUIs must provide clear and comprehensive information on how, when, and why personal data is being processed by generative AI systems. This includes details on the datasets used, the curation and tagging procedures, and any associated processing activities. Transparency is key to maintaining trust and ensuring that individuals are aware of how their data is being used.


The guidelines also tackle the issue of automated decision-making, emphasizing that generative AI systems must not undermine individuals’ rights. EUIs are advised to ensure that any decision-making processes involving AI include the possibility of human intervention, allowing individuals to contest decisions and express their viewpoints.


Furthermore, the EDPS guidelines stress the need for continuous monitoring and evaluation of generative AI systems. This includes regular assessments of data accuracy, bias, and security. EUIs must implement robust oversight mechanisms to detect and mitigate any biases that may arise during the training and deployment of AI models. They are also encouraged to adopt best practices for bias minimization and to ensure that processing activities are traceable and auditable.


The EDPS’s proactive approach to addressing the challenges posed by generative AI underscores the importance of balancing innovation with data protection. By providing these guidelines, the EDPS aims to support EUIs in leveraging the benefits of generative AI while ensuring compliance with data protection regulations and safeguarding individuals’ fundamental rights.


Need Help? 

If you have questions or concerns about AI guidelines, regulations and laws, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.

Subscribe to our Newsletter

Keep up with the latest on BABL AI, AI Auditing and
AI Governance News by subscribing to our news letter