“If left unchecked, generative artificial intelligence (AI) and other AI technologies could seriously undermine privacy and other fundamental rights”. Just one day before the close of the 45th Global Privacy Assembly (GPA), the OECD published an article on the challenges posed by artificial intelligence and its growing importance worldwide.
Generative AI stands out by using algorithms capable of generating and creating content in various formats (text, image, video, etc.) based on large volumes of data known as “knowledge libraries”. These libraries are often fed by data scraping (collecting public data) or by data brokers monetising files containing personal data.
Examples of inter-state cooperation have emerged to address common concerns about the protection of privacy and fundamental rights of individuals.
The GPA’s resolution of 20 October 2023 on generative AI systems is part of this movement, a meeting co-sponsored by Morocco, which was appointed host of this assembly for two years in 2021.
Faced with the development of generative AI, the GPA is aimed at those involved in the commissioning of these technologies and makes them accountable in its resolution built around 9 areas of compliance.
- A legal basis for lawful processing
Reminder of the obligation to identify a legal basis for each stage of data processing (collection, testing, learning, interactions with users, etc.). - An identified purpose and limited use
An appropriate, reasonable and legitimate purpose must be identified upstream. The resources deployed by AI must be proportionate to the purpose. - Data minimisation principle
The data processed must strictly meet the requirements of the intended purpose in order to reduce the risks. - Data reliability
The Assembly refers to “hallucinations”, situations where the content generated by AI is false or incomplete, and the need to use data governance policies to reduce the occurrence and risk of such situations. - Transparency
The developers, suppliers and users of these generative technologies must adopt an approach that is transparent to individuals. In particular, this means that suppliers must provide their customers with precise documentation on the risks associated with these solutions. - Security
Confidentiality and security must be built in from the design phase of the solution, by implementing appropriate technical, organisational and logical measures. - Privacy by design and default
The GPA recommends that players in the sector carry out a data protection impact assessment (DPIA) throughout the life of the solution in order to adapt protection measures in the light of changes in risk. - Individual rights
Data subjects must be informed about the processing of their personal data. The possibility of exercising their rights must also be guaranteed. - Accountability
Actors must be able to demonstrate their compliance with national and supranational rules by making the necessary exhaustive technical documentation available to the competent supervisory authorities.
The Global Privacy Assembly is calling on its members to incorporate the substance of this resolution into a binding national framework. While some countries have enacted laws governing the use of AI, legislators are struggling to keep pace with a conquering technology.
In a global world that is more dynamic than ever, it is vital for all stakeholders to work together to adopt an initial common framework for new technologies. This would include principles and good practices, along the lines of codes of conduct, which could be translated into more detailed measures at national level.
Finally, it should be noted that generative AI is based on a system that educates the tool to assist the user in a specific domain. The learning process exploits huge libraries of knowledge and events. Only when the tool is sufficiently expert in its specialist field is it put into service. It will continue to learn and to produce, to generate, by assisting the user. The tool uses the data on which the human has chosen and decided to train it. It is therefore crucial to provide a framework for the decision taken by the human being, even before looking at the technical aspects of the solution. A risk-based approach will be more respectful of the fundamental rights of individuals.
By Adila SAKHRAJI, Chief Compliance Officer & Data Protection Officer.