Under the GDPR, Are Companies that Utilize Personal Information to Train Artificial Intelligence (AI) Controllers or Processors?
Wednesday, June 21, 2023
data privacy on your cell phone
Print Mail Download i

The EU’s General Data Protection Regulation (GDPR) applies to two types of entities – “controllers” and “processors.” 

A “controller” refers to an entity that “determines the purposes and means” of how personal information will be processed.[1] Determining the “means” of processing refers to deciding “how” information will be processed.[2] That does not necessitate, however, that a controller makes every decision with respect to information processing. The European Data Protection Board (EDPB) distinguishes between “essential means” and “non-essential means.[3] “Essential means” refers to those processing decisions that are closely linked to the purpose and the scope of processing and, therefore, are considered “traditionally and inherently reserved to the controller.”[4] “Non-essential means” refers to more practical aspects of implementing a processing activity that may be left to third parties – such as processors.[5]

A “processor” refers to a company (or a person such as an independent contractor) that “processes personal data on behalf of [a] controller.”[6]

Data typically is needed to train and fine-tune modern artificial intelligence models. They use data – including personal information – in order to recognize patterns and predict results.

Whether an organization that utilizes personal information to train an artificial intelligence engine is a controller or a processor depends on the degree to which the organization determines the purpose for which the data will be used and the essential means of processing. The following chart discusses these variables in the context of training AI:

The following chart discusses these variables in the context of training AI:

Function

Activities Indicative of a Controller

Activities Indicative of a Processor

Purpose of processing

Why the AI is being trained. 

If an organization makes its own decision to utilize personal information to train an AI, then the organization will likely be considered a “controller.”

If an organization is using personal information provided by a third party to train an AI, and is doing so at the direction of the third party, then the organization may be considered a processor.

Essential means

Data types used in training. 

If an organization selects which data fields will be used to train an AI, the organization will likely be considered a “controller.”

If an organization is instructed by a third party to utilize particular data types to train an AI, the organization may be a processor.

Duration personal information is held within the training engine

If an organization determines how long the AI can retain training data, it will likely be considered a “controller.”

If an organization is instructed by a third party to use data to train an AI, and does not control how long the AI may access the training data, the organization may be a processor.

Recipients of the personal information

If an organization determines which third parties may access the training data that is provided to the AI, that organization will likely be considered a “controller.”

If an organization is instructed by a third party to use data to train an AI, but does not control who will be able to access the AI (and the training data to which the AI has access), the organization may be a processor.

Individuals whose information is included

If an organization is selecting whose personal information will be used as part of training an AI, the organization will likely be considered a “controller.”

If an organization is being instructed by a third party to utilize particular individuals’ data to train an AI, the organization may be a processor.

 

[1] GDPR, Article 4(7).

[1] GDPR, Article 4(7).

[2] EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 33.

[3] EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.

[4] EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.

[5] EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.

[6] GDPR, Article 4(8).

©2024 Greenberg Traurig, LLP. All rights reserved.

Current Legal Analysis

More from Greenberg Traurig, LLP

Fortune 500 Terms of Use Utilize Varying Arbitration Providers
by: Tyler J. Thompson
DOJ’s First Intervention in Cybersecurity FCA Qui Tam Case Signals Continued Cyber Enforcement
by: Eleanor M. Ross , Jeffery M. Chiow
Episode 64: The FTC’s Non-Compete Decree
by: Jordan D. Grotzinger , Gregory S. Bombard
Data Centres in Poland: Planning and Electricity
by: Adam Narloch
CFPB Releases Report Highlighting Financial and Privacy Risks in Online Video Gaming Marketplaces
by: Timothy A. Butler , Matthew M. White
Q&A on California’s Updated ‘Pay-to-Play’ Rule
by: Rebecca J. Olson
New York’s New Alcohol Beverage Control Law Amendments Affect State Liquor License Applicants
by: Jonathan L. Bing
GeTtin' SALTy Episode 27 | California OTA Catch-up [Podcast]
by: Nikki E. Dobay , Shail P. Shah
New York Appellate Court Denies Developer’s Landfill Odor Nuisance Claim in Metrose v. Waste Management as New Green Amendment Cases Await Decision
by: Zackary D. Knaub , Jenna Rackerby
FTC Votes to Ban Noncompete Clauses Nationwide
by: Gregory S. Bombard , Justin K. Victor

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins