The EU’s highest court and a key regulator this month left the door open—at least a crack—for artificial intelligence companies that want to train their models on Europeans’ personal data without seeking consent from each individual.
Courts and regulators still must address trickier questions about the legality of AI training, including exactly when an individual needs to understand how their information is being used to train a model, attorneys said.
An Oct. 4 decision from the Court of Justice of the European Union and guidance from the European Data Protection Board four days later confirm that a company’s “purely commercial” concerns can constitute a legitimate interest under the EU’s General Data Protection Regulation.
The court decision and guidance will support companies’ efforts to argue their large language model training complies with European law, even though neither addressed AI specifically, attorneys said.
It’s “overall good news—it hasn’t made it more difficult for companies. But it’s also not really becoming easier,” said Holger Lutz, a partner at Clifford Chance in Frankfurt.
Before this month’s actions, major tech companies—including
GDPR in most cases requires consent for a “data controller” to process an individual’s data. Exceptions include when using the data is necessary to a company’s “legitimate interest.”
The EU law’s legitimate interest principle has come into greater focus recently as companies increasingly collect data in complicated ways that make it unfeasible to get consent, said Odia Kagan, partner and chair of data privacy compliance and international privacy at Fox Rothschild.
For example, AI model developers likely won’t be able to ask for consent from every individual whose personal information is being fed to a large language model for training, attorneys said.
“Commercial activity is not the illegitimate child of legal basis. That is clear, unequivocal, and definitely good news,” Kagan said—but she added that companies still must meet other qualifications for their data processing to be lawful.
Balancing Interests
The court’s judgment knocked down a previous decision from the Dutch data protection authority finding the Dutch Lawn Tennis Association had violated GDPR—a decision considered “an outlier” compared with most regulators’ interpretation of the issue, Kagan said.
Authorities’ confirmation that a purely commercial interest can be a legitimate interest is just one piece of a more complex legal argument that AI developers must make to clear their use of personal data without specific consent. The opinion and guidance don’t guarantee AI training will ultimately be acceptable under GDPR, as neither gave a clear answer to other looming questions.
The European Data Protection Board guidance describes the conditions that must be met for data processing to be legal:
- First, the data controller—such as the entity training an AI model—must be pursuing a legitimate interest. That can be a commercial interest, according to the recent decision and guidance.
- Next, a necessity test: Processing that data must be necessary to meet the company’s purpose.
- Finally, a balancing test: The entity training the large language model must weigh its interests against the data subjects’ interests. For instance, AI providers could argue that attempting to completely anonymize all the data used to train a model would be onerous, Lutz said.
What’s Next?
Individuals whose data is being processed must have a reasonable expectation of how that data will be used at the time it’s processed. But it’s unclear in the case of AI training when that processing takes place. Must the individual have a reasonable expectation that their data will be used for AI training at the time they provide it—such as by making a social media post—or years later, when that post is used to train the model?
AI companies face further requirements, including ensuring that their data processing complies with other European laws, including tax, antitrust, and copyright statutes. This could prove especially tricky when model developers don’t know where their data came from, Kagan said.
The legality of generative AI tools in the EU will also depend on how providers communicate their intent and use cases with consumers, whether through clear notice and consent models, regular updates of their terms of use, or other means.
The data-protection board’s guidelines “even go further and say something like, ‘When you implement these mitigating measures, don’t just implement normal measures that you would have implemented anyway, like a privacy notice,’” Kagan said.
Companies should instead “go an extra mile,” taking steps such as offering individuals a way to have the company delete the data it has on them, even when it doesn’t have to, she said.
Companies can’t be vague about what they’re using data for—and that use must exist in the present, not a hypothetical future, Kagan said. That requirement may raise problems for developers of general-purpose AI models, which are often created without a specific use case, she noted.
Regulators’ scrutiny of AI training in the EU will likely continue—including from the Dutch data protection regulator, which has already warned that it will keep closely monitoring organizations’ data practices.
The court ruling “is not allowing companies to do whatever they want to do because it is a commercial interest,” said Joke Bodewits, an Amsterdam-based partner at Hogan Lovells. “There is still a need for GDPR compliance. But I think what is important for companies to do now is to assess how they rely on legitimate interest.”
To contact the reporters on this story:
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.