The regulatory challenges associated with generative artificial intelligence (AI) are at the centre of current discussions, particularly with regard to the European AI Act (Artificial Intelligence Act). In a statement, the German Federal Commissioner for Data Protection and Freedom of Information (BfDI) analyses the data protection aspects and social consequences of this technology.
We summarise the most important points of the BfDI’s statement and discuss the legal implications.
Regulation of generative AI
Generative AI comprises technologies that are able to independently create content such as texts, images and videos. This can have a significant impact on various aspects of our society, from the world of work to opinion-forming and individual privacy. In this regard, the BfDI particularly emphasises the importance of data protection in the development and application of generative AI.
One of the key issues raised by the BfDI in its statement concerns the distinction between general purpose AI and foundation models. In contrast to general purpose AIs, the latter are extensive, highly developed artificial neural networks that have been trained on massive data sets. They form a kind of general AI basis on which developers can build to create more specific applications. One of the best-known examples of a foundation model is GPT-4 from the company OpenAI.
The BfDI argues that, regardless of this distinction, the principles of data protection law for processing activities apply to both AI models. Nevertheless, differentiated considerations in the context of the AI Act could help to ensure targeted regulations and the avoidance of regulatory gaps.
The BfDI clarifies this differentiation using the existing distinction in data protection between controllers and data processors. This distinction takes into account the respective context of data processing and ensures that both parties can fulfil their respective commitments.
Similarly, it makes sense to analyse foundation models in a differentiated manner in connection with the regulation of artificial intelligence. In this way, targeted regulation of the development and commercialisation of these tools can be ensured and potential regulatory gaps within the value chain of AI applications can be avoided. This is of crucial importance in order to create an effective legal framework for artificial intelligence.
However, in the case of a differentiated policy, it should be noted that this could contradict the risk-based approach of the AI Act. This could mean that even low-risk systems would have to fulfil extensive regulatory requirements. Nevertheless, it remains to be seen whether a differentiation will be made or, as is often the case, whether the terms will be used as synonyms.
The world of work and generative AI: potential and risks
Generative AI offers a wide range of possible applications in the world of work and harbours considerable potential for increasing efficiency and reducing workloads. However, the BfDI emphasises that data protection and privacy must also be safeguarded here, particularly because the great opportunities also harbour considerable risk potential. Employers have a responsibility to train and sensitise their employees with regard to the processing activity of personal data in connection with generative AI. This is particularly important in order to avoid the indiscriminate use of personal data when using AI.
Influence of AI on social values and freedoms
The values that are anchored in generative AI systems depend heavily on the training data. The BfDI emphasises the importance of transparency with regard to the data sources and the preselections applied. This transparency can ensure that AI systems are in line with the democratic and liberal values of the EU and Germany.
The selection of training data inevitably leads to a certain bias and therefore plays a crucial role as a form of unspoken control of the results of generative AI systems. It is of great societal importance to define clear frameworks and boundaries for this selection. This will ensure that generative AI systems operate in accordance with the data protection principles and values and freedoms of the EU and Germany and respect the privacy of users.
Labelling of AI-generated content
The labelling of AI-generated content is an important protective mechanism to inform consumers about the origin of the content. The BfDI points out that this is particularly relevant in the context of propaganda and defamatory content. However, it also emphasises the challenges of implementing effective labelling and the limited effectiveness of subsequent identification tools.
Labelling and recognition tools are not a panacea. A simple labelling requirement for AI-generated media could already cover many cases, but the clear line between human-generated and AI-generated content is difficult to draw today. According to the BfDI, the challenge is to raise awareness of the issue among the general public. Fact-checking mechanisms alone do not necessarily lead to the issue being addressed.
Marking and recognition methods are particularly relevant when a simple labelling requirement is not sufficient, for example in the case of deliberate concealment of AI-generated media. The use of watermarks requires the cooperation of providers, but it is questionable whether this approach is sustainable. Negative labelling, such as a camera-related signature, poses problems in terms of fundamental rights, as this would create a de facto personal reference. Tools for the subsequent identification of AI-generated media face the challenge of being in constant competition with the advancing capabilities of AI systems.
Regulation and generative AI: risk-based approaches
There are currently numerous proposals to precisely anchor the regulatory challenges of generative AI applications in the EU legislative proposals for the recently adopted AI Act and an AI Liability Directive. The question of whether the risk-based approach to the regulation of generative AI is suitable or whether a systemic risk analysis similar to the risk analysis and minimisation mechanism in the Digital Services Act (DAS) is required is still unanswered.
The BfDI is in favour of a risk-based approach that makes it possible to react appropriately to the dynamic development of generative AI. It emphasises the importance of graduated regulation that is geared towards the characteristics of the developing and deploying companies. This enables differentiated regulation that fulfils the requirements and risks.
The Digital Services Act introduced tiered regulation based on fixed criteria such as the size of the developing or deploying company, in particular the number of users. However, the low hurdle for the development and use of generative AI processes for a wide range of purposes, including critical applications, creates a different picture.
Until recently, the opinion was held that particularly powerful generative AI processes could only be developed and operated by large technology groups. The BfDI emphasises here that a systemic risk analysis would therefore probably have rated the size of a provider as very high. In particular, it emphasises that this view no longer necessarily exists according to the current situation. This indicates that rigid regulation based on a limited number of criteria could soon lose its effectiveness. This shows the strength of the risk-based approach of being able to react flexibly to such developments.
Influence on the democratic opinion-forming process
The low entry barrier for the use of generative AI also enables the efficient dissemination of convincing disinformation. Data protection aspects could relate to disinformation about natural persons and the creation of deep fakes in words and images. Although such phenomena are not new, generative AI enables simpler and faster generation.
With regard to the discussion on labelling and detection methods, the BfDI states that it should be noted that AI-generated media such as propaganda images or information that damages reputations do not have to remain permanently unrecognised in order to have a negative impact. Technical measures are not a panacea; their apparent efficiency distracts from the actual underlying problems. Organisational measures, such as an obligation to label primarily AI-generated media along the lines of attribution of copyright-protected content, could be more effective. Another key aspect lies in educating and sensitising the population in order to promote responsible use of this new medium.
Protection of minors and data protection
The protection of minors in relation to generative AI requires special attention. The BfDI argues that the personal data of minors should not be included in generative AI systems as a matter of principle. It emphasises the need to educate and sensitise minors.
The focus is on the particular need for protection of minors, as they are often unaware of the risks and consequences of the processing activity of their personal data and are often unable to exercise their data subject rights themselves. The GDPR reflects this need for protection by limiting the ability of minors to consent to the processing activity of their personal data.
The implementation of such measures in the context of AI is the responsibility of the developers of such AI systems and could be achieved technically through the targeted filtering of training data.
In order to protect underage users of generative AI applications, the integration of suitable limits in the AI sector, comparable to measures such as Safe Search for offensive content, could be useful. However, the BfDI rejects strict measures such as mandatory identification during use, as this would make anonymous use de facto impossible.
In view of the increasing integration of generative AI components into various services, such as AI search and integration into office applications, the use of generative AI is becoming normalised. In this context, comprehensive education and sensitisation of minors about the risks, but also the opportunities and potential, are essential.
Conclusion
The statement by the Federal Commissioner for Data Protection and Freedom of Information emphasises the importance of balanced regulation for generative AI with regard to data protection.
These technologies have the potential to facilitate data breaches, especially in the case of text generation. Transparency, traceability and data protection impact assessments are crucial to protect privacy.
The responsibility now lies with companies and legislators to ensure that the benefits of these technologies do not come at the expense of data protection as these technologies are further developed. It will be particularly interesting to see how the AI Act and other legislation will affect the practical environment for AI systems.
