Steve Wood Generative AI and Data Protection Asia Privacy Bridge October 2023 TO SEND.pdf.pdf
- 1. GENERATIVE AI AND COMPLIANCE WITH DATA PROTECTION AND PRIVACY LAWS: CURRENT INTERNATIONAL TRENDS & FUTURE CHALLENGES Steve Wood, PrivacyX Consulting Asia Privacy Bridge 12/13 October 2023 10/ 15/2023 St ev e W ood A PB Conf er ence 2023 1
- 2. GENERATIVE AI AND FOUNDATION MODELS: HOW THEY CAN USE PERSONAL DATA Generative AI developers Generative AI deployers Training data sources (from internet & licenced data Includes publicly available personal data Individual users Outputs: text, code, video, images (includes personal data) Queries (includes personal data) Inputs into foundation model Learns from queries Enterprise Contract Learns from queries Additional training data sources from deployers’ systems Includes personal data Inputs into adapted model Outputs: text, code, video, images (includes personal data)
- 3. GENERATIVE AI: DATA PROTECTION RISKS AND CHALLENGES • Explaining training data inputs • Explaining learning from queries • Explaining implications of Generative AI outputs, including automated decisions Transparency • Controller & processor roles • Liability • Data Governance • Data Protection by Design • Impact assessments Accountabilty • Right of access • Right of correction or deletion • How do the rights interact with data in foundation models? • Objection to automated decisions Data Rights • Legitimate interests • Necessity and proportionate • Consent • Contract Lawful basis • Consent for child users • Transparency and awareness • Impact of outputs Children • Bias risk • Discrimination risk • Dataset fairness • Design fairness • Outcome fairness • Implementation fairness Fairness • Accuracy - hallucinated output, deepfakes • Data minimisation – scale of training data • Purpose limitation – re-use of personal data in models DP principles • Personal data leakage • Identification risks • Model inversion, data poisoning, prompt injection • Automation of cyber attacks Security
- 4. MEASURES TAKEN BY THE GENERATIVE AI INDUSTRY TO COMPLY WITH DATA PROTECTION LAW 1. Rejection or removal of personal data from training data before model is developed 2. Train models to reject queries for private or sensitive information about people 3. Allowing website operators can specifically disallow crawlers or block the crawler’s IP address 4. Not training and learning from enterprise deployments of their foundation model and allow the deployment to control data retention 5. Opt-out for use of chat history data for individual users 6. Improved privacy notices and information about data training and classification process 7. New forms and procedures for data rights - including access and objection 8. Revised contracts and data protection agreements between developers and deployers 9. Guidance and tools to support safe deployments 10/ 15/2023 St ev e W ood A PB Conf er ence 2023 4
- 5. ACTION TAKEN BY DATA PROTECTION AUTHORITIES Enforcement orders and fines • Italy Garante – prohibitionto OpenAI, lifted after one month • South Korea PIPC – administrative fine of 3.6 million KRW against OpenAI for failure to notify a data breachin relationto its payment procedure and issued a list of instances of non-compliance • JapanPIPC - warning issued to OpenAI Investigations on going into OpenAI • Canada – Federal OPC, British Columbia, Quebec, and Alberta • US Federal Trade Commission • Brazil ANPD Co-ordinated actions • European Data ProtectionBoard and Ibero-AmericanNetwork of DPAs Guidance • New Zealand PC, UK ICO, Spain AEPD, France CNIL St ev e W ood A PB Conf er ence 2023
- 6. ACTION TAKEN BY DATA PROTECTION AUTHORITIES – AREAS OF NON- COMPLIANCE 10/ 15/2023 6 Data Protection by Design Transparency Children Use of sensitive data Purpose limitation, accuracy & minimisation Lawfulness Consent Legitimate Interest Rights St ev e W ood A PB Conf er ence 2023
- 7. G7 DATA PROTECTION AUTHORITIES Joint statement on generative AI June 2023 Key areas of concern: Legal authority for the processing of personal information Risks to children Security safeguards Mitigation and monitoring measures of generated output Transparency measures to promote openness and explainability Production of technical documentation across the development lifecycle to assess the compliance Technical and organizational measures to ensure individuals can exercise their rights Accountabilitymeasures to ensure appropriate levels of responsibility among actors in the AI supplychain Limiting collection of personal data to only that which is necessary to fulfil the specified task. St ev e W ood A PB Conf er ence 2023
- 8. WHAT NEXT FOR GENERATIVE AI AND DATA PROTECTION ? More detailed DP guidance and regulatory actions DP investigations across the AI supply chain, not just deployers DP investigations into specific use cases of generative AI e.g. in recruitment, banking Growth of DP regulatory sandboxes to provide advice on data protection by design Joined up investigations between DP regulators and other regulators (e.g. competition, financial services) Policy makers consider places that DP cannot regulate and how the gaps should be filled Role of the EU AI Act in regulating generative AI (under negotiation in 2023). Some data protection regulators may take on AI Act functions when it becomes law 10/ 15/2023 8 St ev e W ood A PB Conf er ence 2023
- 9. THANK YOU Email: [email protected] Monthly newsletter: https://privacyx.substack.com 10/ 15/2023 St ev e W ood A PB Conf er ence 2023 9