Under the GDPR, Is an Organization Required to Distribute Its Privacy Notice to Every Individual Whose Information Is Included in an AI Prompt?
Wednesday, September 20, 2023
AI Prompts Subject to more Security Scrutiny

Related Practices & Jurisdictions
Print Mail Download i

Not necessarily. 

Under the GDPR, controllers are required to provide information relating to what personal data they process, and how that processing takes place. 

If the personal data the organization includes in AI prompts has been collected directly from individuals, those individuals should be provided with a copy of the organization’s privacy notice “at the time when personal data are obtained.”[1] If, on the other hand, the personal data the organization includes in a prompt has been collected from a third party source (e.g., scraped from the internet or received from another controller), the GDPR generally permits the controller to provide a copy of its privacy notice “within a reasonable period” after the data is collected.[2] Furthermore, in the following situations the GDPR does not mandate that a privacy notice be directly provided to individuals:

  1. Individuals already know the organization’s privacy practices. If a “data subject already has the information” that would be contained within a privacy notice the organization is not required to provide one to them.[3]

  2. Impossibility. If providing a privacy notice directly to individuals is “impossible” an organization is relieved of the requirement. That said, the GDPR requires that the organization “take appropriate measures to protect individuals’ rights and freedoms and legitimate interests, including making the information publicly available.”[4] 

  3. Disproportionate effort. If providing a privacy notice “would involve a disproportionate effort” an organization is not required to provide the notice.[5] That said, the GDPR requires that the organization “take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available.”[6]

  4. Processing cannot be disclosed pursuant to European Union law. If a European Union Member State imposes an obligation of secrecy that would prohibit an organization from disclosing the fact that it has processed an individual’s information, the organization is not required to provide individuals with its privacy notice.[7] This exception would likely not apply to most organizations’ inclusion of personal data as part of AI prompts.

[1] GDPR, Article 13(1).

[2] GDPR, Article 14(3)((a).

[3] GDPR, Article 14(5)(a).

[4] GDPR, Article 14(5)(b).

[5] GDPR, Article 14(5)(b).

[6] GDPR, Article 14(5)(b).

[7] GDPR, Article 14(5)(d).

©2024 Greenberg Traurig, LLP. All rights reserved.

Current Legal Analysis

More from Greenberg Traurig, LLP

New Pay Transparency and Wage History Requirements in Maryland and Washington, D.C.
by: Johnine P. Barnes
Dutch Real Estate: Beware of Potential Leasehold Terminations as a Result of Offences
by: Marijn Bodelier
What You Need to Know About Colorado’s New Comprehensive AI Law
by: Tyler J. Thompson
DOL Makes Significant Changes to QPAM Exemption
by: Nathan M. Iacovino
Florida’s Live Local Act Middle-Income Affordable Housing Exemption Has 2-Year No-Exemption Exit Trap
by: Marvin A. Kirsner
U.S. to Impose Further Tariffs on Imports from China Following Section 301 Review
by: Laura Siegel Rabinowitz , Donald S. Stein
Treble Ahead? Supreme Court Decision Sharp on Copyright Damages but Flat on the Discovery Rule
by: Sabina A. Vayner , Steven J. Wadyka Jr.
Maryland Restricts Noncompete Clauses for Veterinary and Health Care Professionals
by: Galit Kierkut , Kristin Spallanzani
IRS Issues Supplementary Letters to Affected Taxpayers Who Requested More Information About Data Breach; Scope of Disclosure Remains Unknown
by: G. Michelle Ferreira , Scott E. Fink
CA Bill Would Shift Lobby Filer Audits to Fair Political Practices Commission
by: Rebecca J. Olson

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins