AI Systems and Legitimate Interests under the GDPR

7–11 minutes

Written by Kieran Harte

“AI technologies may bring many opportunities and benefits to different industries and areas of life. We need to make sure these innovations are done ethically, safely, and in a way that benefits everyone. The EDPB wants to support responsible AI innovation by ensuring personal data are protected and in full respect of the General Data Protection Regulation (GDPR)” – Anu Talus, EDPB Chair.

A fundamental principle of the GDPR is that personal data must be processed in a lawful, fair, and transparent manner. For a controller to process personal data, they must have a legal basis under the GDPR. The appropriate legal bases for legitimizing the processing of personal data by AI systems are highly context-specific and often require a “necessity” criterion under the GDPR. It’s crucial to evaluate the objectives and goals of your processing to determine if they can be achieved through non-AI technologies or methods, which might be more suitable or pose fewer risks.

Using Legitimate Interests as a Legal Basis

An interest is the broader stake or benefit that an organisation (or a third party) may have in engaging in a specific processing activity. While the GDPR and the CJEU recognised several interests as being legitimate, the assessment of the legitimacy of a given interest should be the result of a case-by-case analysis.

Accordingly, not all interests can be considered legitimate.  If an organisation chooses to use legitimate interests, within the meaning of Article 6(1)(f) GDPR, as a legal basis, the processing must be necessary, and be cumulatively:

  • related to their actual activities and manifestly lawful, i.e., not contrary to EU or Member State law. 
  • defined clearly and precisely, i.e. the more precisely the interests are defined, the narrower the scope of risks to be considered, which is crucial for compliance with transparency obligations.
  • actual and current, i.e., not hypothetical or speculative. 

The European Data Protection Board (EDPB) makes it clear that legitimate interests cannot be considered as a legal basis “by default”.  In other words, the open-ended nature of legitimate interests should not be considered as an “open door” to legitimise all data processing activities that don’t fall under any of the other legal bases in GDPR.

Legitimate Interests Assessments

The primary goal of the balancing exercise is not to eliminate any impact on the interests and rights of data subjects entirely. Instead, it aims to prevent disproportionate impacts and to weigh these aspects against each other.

Therefore, the benefits of processing, including anticipated benefits, should be balanced against the potential negative impacts on data subjects during the legitimate interest assessment. This assessment should first determine whether the processing is genuinely necessary for the identified legitimate interest and whether it can be achieved through less restrictive means that better protect the fundamental rights and freedoms of individuals. When conducting this assessment, the organization should ensure that the data is relevant to the purpose pursued and limited to what is necessary to achieve this purpose, adhering to the data minimization principle.

The assessment should also identify and describe:

  • The data subjects’ interests, fundamental rights and freedoms.  The greater the anticipated processing benefits, the more likely the legitimate interests will prevail over individuals’ rights and freedoms.  The more precisely these legitimate interests are described, the more weight it will have in the balancing exercise since it makes it possible to capture the reality of the benefits to be considered.  On the other hand, if the legitimate interests are set out too broadly, they are unlikely to prevail over the interests of individuals
  • Evaluate potential adverse effects of processing on data subjects, including:
    • The nature of the data to be processed (such as special category data)
    • the status of the data subjects (vulnerable persons, children, etc.)
    • The context of the processing
    • Any further consequences of the processing
  • The reasonable expectations of the data subject
  • The final balancing of opposing rights and interests, including if necessary, putting in place additional measures to limit these risks and protect the rights and freedoms of individuals.  These can include:
  • data minimisation (e.g. strict limitations on the collection of data, or immediate deletion of data after use)
    • technical and organisational measures to ensure that the data cannot be used to take decisions or other actions with respect to individuals (‘functional separation’)
    • wide use of anonymisation techniques, aggregation of data, privacy-enhancing technologies, privacy by design, privacy and data protection impact assessments
    • increased transparency, general and unconditional right to object (opt-out), data portability & related measures to empower data subjects.

It’s important to remember that with the implementation of the GDPR, many actions previously considered as ways to limit the impact of processing on data subjects, or as mitigating measures, are now legal obligations for controllers. These include data minimization, data protection by design and by default, and data security. This is critical in the balancing test, which assumes that the controller already adheres to the principles and obligations established by the GDPR.

Relying on legitimate Interests for AI Systems and models

The development or use of AI systems does not inherently preclude the use of legitimate interests as a legal basis for processing. However, other legislation, such as the EU AI Act, must also be considered. The CJEU has determined that a controller’s commercial interest can constitute a legitimate interest, provided that it is not contrary to the law. Nonetheless, organizations should assess on a case-by-case basis whether the intended processing could be achieved in a less intrusive manner for the affected individuals.

For some AI activities, relying on legitimate interest may be more practical than other legal bases, such as consent. In certain situations, obtaining consent may be impractical or unfeasible, such as in research or statistical activities that benefit society. The EDPB provides examples where legitimate interest might apply, including the use of a conversational agent to assist users, AI systems to detect fraudulent content or behaviour, and AI to enhance threat detection in information systems.

As set out previously, legitimate interests requires meeting three cumulative conditions: pursuing a legitimate interest, demonstrating that processing is necessary to achieve that interest, and ensuring the processing does not override the fundamental rights and freedoms of data subjects.

Other considerations include:

  • the type of AI system being proposed, including training and development mechanisms, the data being used, and deployment
  • the purposes for which the AI system is provided/deployed by the controller, and are they compatible with the original purpose including reasonable expectations of data subjects’ on how it will be used?
  • the different data protection roles of each controller/processor involved in the processing at each stage of the AI system’s lifecycle.

In the context of AI models and systems, the intended volume of personal data involved needs to be assessed in light of less intrusive alternatives that may reasonably be available to achieve just as effectively the purpose of the legitimate interest pursued.  Organisations should also assess whether it is proportionate to pursue the legitimate interest at stake, also in light of the data minimisation principle.

The assessment of necessity should also consider the broader context of the intended processing of personal data. The availability of less intrusive means to protect the fundamental rights and freedoms of data subjects may vary depending on the organization’s relationship with the data subjects (direct or indirect).  For third-party data, the lack of a direct relationship with data subjects requires stronger safeguards, such as enhanced transparency, opt-out mechanisms, and thorough risk assessments.  Additional technical safeguards to protect personal data may also contribute to meet the necessity test, including those that reduce the scope for identifying data subjects in the system.

The balancing exercise under legitimate interests must consider the unique risks posed by AI.  These risks can arise during the development phase, such as through web scraping of personal data against the data subjects’ wishes or without their knowledge. They can also occur during the deployment phase, for instance, when personal data is processed by the system in a way that contravenes data subjects’ rights or when it is possible to infer personal data contained in the learning database. Other risks include discriminatory outcomes, the regurgitation or memorization of personal data by generative AI models, and broader societal risks like misuse through deepfakes or misinformation campaigns.

Reasonable expectations play a key role in the balancing exercise, especially given the complexity of AI technology and the difficulty for data subjects to understand the various potential uses of an AI model and the data processing involved. Criteria to assess whether individuals might reasonably expect certain uses of their personal data include whether the data was publicly available, the nature of the relationship between the individual and the controller, the nature of the service, the context in which the data was collected, the source of the data, the potential further uses of the model, and whether individuals are aware that their personal data is online.

If the balancing exercise indicates that processing should not proceed due to its negative impact on individuals, mitigating measures can help reduce this impact. These measures may be technical, such as pseudonymization, web scraping, or output filters, or they may facilitate individuals’ rights, such as providing unconditional opt-outs or erasure options or implementing voluntary transparency initiatives like model cards and annual transparency reports.

AI models and systems come in various forms and serve a variety of purposes in a rapidly evolving environment. Therefore, organizations relying on legitimate interest to process data must assess the potential risks to data subjects and implement appropriate safeguards on a case-by-case basis. It’s important to recognize that training an AI model or system is not an end in itself; rather, it serves the organization’s ultimate objectives. This approach helps establish crucial guardrails for organizations that develop and use AI systems across different industry sectors.

Links to more information

EDPB: EDPB opinion on AI models: GDPR principles support responsible AI | European Data Protection Board

EDPB: Opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models | European Data Protection Board

EDPB: Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR

CNIL: Relying on the legal basis of legitimate interests to develop an AI system

CJEU, judgment of 4 October 2024, Case C-621/22, Koninklijke Nederlandse Lawn Tennisbond

, ,

More ICS News

Read more ICS News

Become a Member
ADPO News
HISI News
IASA News
itSMF News
Irish Digital Skills & Jobs Coalition News
EU Tech Policy News
AI Policy News

Discover more from Irish Computer Society

Subscribe now to keep reading and get access to the full archive.

Continue reading