欧盟EDPS首份生成式人工智能数据合规指南(英).pdf
003June2024GenerativeAIandtheEUDPR.FirstEDPSOrientationsforensuringdataprotectioncompliancewhenusingGenerativeAIsystems.1TheseEDPSOrientationsongenerativeArtificialIntelligence(generativeAI)andpersonaldataprotectionintendtoprovidepracticaladviceandinstructionstoEUinstitutions,bodies,officesandagencies(EUIs)ontheprocessingofpersonaldatawhenusinggenerativeAIsystems,tofacilitatetheircompliancewiththeirdataprotectionobligationsassetout,inparticular,inRegulation(EU)2018/1725.Theseorientationshavebeendraftedtocoverasmanyscenariosandapplicationsaspossibleanddonotprescribespecifictechnicalmeasures.Instead,theyputanemphasisonthegeneralprinciplesofdataprotectionthatshouldhelpEUIscomplywiththedataprotectionrequirementsaccordingtoRegulation(EU)2018/1725.TheseorientationsareafirststeptowardsmoredetailedguidancethatwilltakeintoaccounttheevolutionofGenerativeAIsystemsandtechnologies,theirusebyEUIs,andtheresultsoftheEDPS’monitoringandoversightactivities.TheEDPSissuestheseorientationsinitsroleasadataprotectionsupervisoryauthorityandnotinitsnewroleasAIsupervisoryauthorityundertheAIAct.TheseorientationsarewithoutprejudicetotheArtificialIntelligenceAct.2Introductionandscope31.WhatisgenerativeAI?...42.CanEUIsusegenerativeAI?63.HowtoknowiftheuseofagenerativeAIsysteminvolvespersonaldataprocessing?.74.WhatistheroleofDPOsintheprocessofdevelopmentordeploymentofgenerativeAIsystems?...85.AnEUIwantstodeveloporimplementgenerativeAIsystems.WhenshouldaDPIAbecarriedout?..96.Whenistheprocessingofpersonaldataduringthedesign,developmentandvalidationofgenerativeAIsystemslawful?.117.HowcantheprincipleofdataminimisationbeguaranteedwhenusinggenerativeAIsystems?148.AregenerativeAIsystemsrespectfulofthedataaccuracyprinciple?...159.HowtoinformindividualsabouttheprocessingofpersonaldatawhenEUIsusegenerativeAIsystems?1710.WhataboutautomateddecisionswithinthemeaningofArticle24oftheRegulation?...1811.HowcanfairprocessingbeensuredandavoidbiaswhenusinggenerativeAIsystems?2012.Whatabouttheexerciseofindividualrights?...2213.Whataboutdatasecurity?.....2314.Doyouwanttoknowmore?..253Introductionandscope1.TheseorientationsareintendedtoprovidesomepracticaladvicetotheEUinstitutions,bodies,officesandagencies(EUIs)ontheprocessingofpersonaldataintheiruseofgenerativeAIsystems,toensurethattheycomplywiththeirdataprotectionobligationsinparticularassetoutintheRegulation(EU)2018/1725(‘theRegulation’,orEUDPR).EveniftheRegulationdoesnotexplicitlymentiontheconceptofArtificialIntelligence(AI),therightinterpretationandapplicationofthedataprotectionprinciplesisessentialtoachieveabeneficialuseofthesesystemsthatdoesnotharmindividuals’fundamentalrightsandfreedoms.2.TheEDPSissuestheseorientationsinhisroleasadataprotectionsupervisoryauthorityandnotinhisnewroleasAIsupervisoryauthorityundertheAIAct.3.TheseorientationsdonotaimtocoverinfulldetailalltherelevantquestionsrelatedtotheprocessingofpersonaldataintheuseofgenerativeAIsystemsthataresubjecttoanalysisbydataprotectionauthorities.Someofthesequestionsarestillopen,andadditio