close
close

Regulations on the implementation of artificial intelligence and data protection: German authorities publish guidelines on the implementation of artificial intelligence in accordance with the GDPR

Posted on by darion

White & Case technology news

German federal and state data protection authorities have published guidelines on the implementation and use of artificial intelligence in accordance with European Union personal data law (the “Guidelines”).1

The guidelines are addressed primarily to entities implementing AI applications in the private and public sectors. They identify several immediate risks associated with the use of AI, including unlawful processing of personal data and discrimination based on biased data, and provide practical guidance on mitigating and preventing these risks by introducing a set of preventive measures and practices, such as documentation, impact assessment and employee training on the use of artificial intelligence.

The rapid development of artificial intelligence in the face of data protection

As artificial intelligence systems increasingly become part of everyday life and are deployed in various work environments, authorities have drawn attention to their relationship to the legal protection of personal data, and many practical compliance issues remain largely uncertain to date.

Guidance published by the Joint Authorities Conference aims to alleviate some of this uncertainty in Germany by providing practical considerations for the use of AI applications.

Guidance on pre-implementation issues

The guidance provides practical considerations on what to consider from a data protection compliance perspective before using AI applications. They include:

  • Identifying the purpose and use cases of AI applications;
  • Assessment of the legal basis for the processing of possible personal data in the context of using AI applications;
  • Ensuring compliance with transparency requirements for the collection and transmission of information on automated decision-making, including profiling, to data subjects and/or authorities;
  • Ensuring sufficient system flexibility to define data protection-compliant settings; e.g., disabling quick history or fine-tuning data sets to properly meet data subjects’ requests for information, rectification or deletion under the GDPR.

Additionally, it is recommended to involve personal data protection officers and employee representatives before implementation.

Compliance requirements with the implementation process

The guidelines make several suggestions to ensure compliance with data protection legal requirements when using AI applications, in particular:

  • Defining clear responsibilities (e.g. control and/or co-administration), especially if a cloud-based AI application is used;
  • Implementation of artificial intelligence policies;
  • Conducting a data protection impact assessment (Article 35 of the GDPR);
  • Training for employees;
  • Implementation of sufficient technical and organizational measures (data protection by design, Article 25 of the GDPR); e.g. through data security tools, corporate accounts or a data protection project.

Additionally, it is recommended to closely monitor ongoing developments in AI technology and legal guidelines, preferably in the context of company data protection procedures.

Use the AI ​​model with caution

Finally, the guidelines outline some general practices that should be followed when using AI applications in compliance with data protection regulations. Above all, they recommend a cautious approach to monitoring and using AI results when personal data is involved. Any output from an AI application must be continuously monitored and critically analyzed to ensure data integrity and prevent bias in the data that could otherwise lead to unlawful discrimination.

Perspectives

The guidelines are a further step towards providing clearer guidance on the implementation and use of artificial intelligence. It shows that the authorities are aware of the practical obstacles to compliance.

Following discussions on which German body will be designated as the national supervisory authority required under the EU Artificial Intelligence Act,2 The German data protection authorities have issued a position3 according to which they are prepared to take on this role due to their tasks and expertise, and thus place themselves in the position of the German regulators in the field of artificial intelligence.

1 Guidelines of the German Conference on Data Protection of May 6, 2024, https://content.mlex.com/Attachments/2024-05-06_K3DN3E452H0TH6YG%2f20240506_DSK_Orientierungshilfe_KI_und_Datenschutz_web.pdf.
2 See https://www.whitecase.com/insight-our-thinking/ai-watch-global-regulatory-tracker-germany.
3 Decision of the German Data Protection Conference of May 3, 2024, https://www.datenschutzkonferenz-online.de/media/dskb/20240503_DSK_Positionspapier_Zustaendigkeiten_KI_VO.pdf.

White & Case means the international law practice of White & Case LLP, a New York limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law, and all other affiliates, partnerships and entities.

This article is intended for general information of interested persons. It is not, and does not attempt to be, comprehensive. Due to the general nature of the content, it should not be construed as legal advice.

© 2024 White & Case LLP