W
hen processing personal data in both EU countries and the UK, it is important for the data controller to provide a legal basis in accordance with GDPR regulations. This requirement applies to all controllers, regardless of their location or operational jurisdiction, as long as they are processing data of EU or UK residents. The legal bases available to the data controller are precisely outlined in Article 6 of the relevant regulations.
In the specific case of the AI model, which is intended for commercial use and will involve training on personal data of individuals without a contract or consent, the appropriate legal basis may likely be found in Article 6. 1 (f). This article states that processing is necessary for the legitimate interests pursued by the controller or a third party, unless such interests are outweighed by the rights and freedoms of the individual whose data is being processed, particularly in the case of children.
Would this be the correct legal basis for our situation?
On March 15, 2024, the Belgian Data Protection Authority reviewed the complaint regarding data processing for the purpose of training a personalized recommendation model. They determined that such training could be seen as the legitimate interest of the controller.
The data of the individual who lodged the complaint, which included details of payment transactions, was used as training data for developing models for the company’s “Personalized Discounts” services.
It is worth noting that the company shares the results of these AI models with individuals who have provided their consent. However, the company uses personal data to train the models without explicitly obtaining consent, citing Art. 6.1. f as their legal justification based on their interests.
In order to determine the legality of data processing in this case, it is important to conduct a 3-part test. This test involves identifying a legitimate interest, demonstrating that the processing is necessary to achieve this interest, and balancing it against the individual’s interests, rights, and freedoms.
After reviewing the complaint, the Belgian ADP found that three conditions for invoking a legitimate interest were satisfied. The controller had a legitimate interest in processing data to build data models for personalized services, which are essential for their market positioning. Additionally, the processing of data was necessary to achieve this goal, as it was a crucial tool for analyzing transactional data. The ADP also recognized that the impact of the processing on the fundamental rights and freedoms of data subjects was proportional to the controller’s interest. Furthermore, the data processing was within the normal expectations of the data subjects, and the controller had implemented policies to minimize the impact on their rights and freedoms.
In light of the recent Belgian ADP decision, we now have the opportunity to more confidently select the legal basis for training models using personal data.
It’s important to keep in mind the need to inform the data subject about our processing activities to develop the Ai model. This can be done by including relevant information in our privacy policy or privacy notice, specifying retention periods, conducting a legitimate interests assessment (LIA), and ensuring the rights of personal data subjects are upheld – including the right to object, restrict, erasure, and appointing an EU/UK Representative if our organization is based outside the EU or UK.
This is only a foretaste of what is to come and only the shadow of what is going to be ― Alan M. Turing
