Google’s generative AI is under investigation by its primary European Union privacy regulator to determine if it complies with data protection laws regarding the use of personal information for training its AI systems.
The inquiry specifically examines whether Google was required to conduct a Data Protection Impact Assessment (DPIA) to proactively evaluate the potential risks that its AI technologies might pose to the rights and freedoms of individuals whose data was utilised in training these models.
Generative AI tools are notorious for generating seemingly credible misinformation. This characteristic, along with their capacity to deliver personal information upon request, significantly increases the legal liabilities for their developers.
The Data Protection Commission (DPC) of Ireland, which oversees Google’s compliance with the General Data Protection Regulation (GDPR), has the authority to impose fines of up to 4% of Alphabet’s, Google’s parent company, global annual revenue for any confirmed violations.
Google has introduced various generative AI tools, including a suite of large language models (LLMs) branded as Gemini (previously known as Bard). These technologies support AI chatbots and enhance web search functionalities. At the core of these consumer-oriented AI tools is a foundational model called PaLM2, which was unveiled at the I/O developer conference last year.
The DPC’s investigation focuses on how Google developed this foundational AI model, operating under Section 110 of Ireland’s Data Protection Act 2018, which implements the GDPR into national legislation.
Training generative AI models typically necessitates extensive datasets, and the nature of the information acquired by LLM developers, along with the methods and locations of data collection, is being scrutinised concerning various legal issues, including copyright and privacy.
In terms of privacy, any information used to train AI that includes personal data of EU residents is subject to the EU’s data protection regulations, regardless of whether it was scraped from public sources or directly obtained from users. This has led to various LLMs facing inquiries and GDPR enforcement actions related to privacy compliance, including OpenAI, the creator of GPT and ChatGPT, and Meta, which develops the Llama AI model.
Additionally, X, owned by Elon Musk, has faced GDPR complaints and scrutiny from the DPC regarding the use of personal data for AI training. This resulted in a court case and a commitment from X to limit its data processing, although no penalties have yet been imposed. However, X could still incur a GDPR fine if the DPC concludes that its processing of user data for training the Grok AI tool violated regulations.
The DPC’s DPIA investigation into Google’s generative AI represents the latest regulatory action in this domain.
“The statutory inquiry concerns the question of whether Google has complied with any obligations that it may have had to undertake an assessment, pursuant to Article 35 of the General Data Protection Regulation, prior to engaging in the processing of the personal data of EU/EEA data subjects associated with the development of its foundational AI Model, Pathways Language Model 2 (PaLM 2),” the DPC stated in a press release.
The DPC emphasised that a DPIA is “crucial importance in ensuring that the fundamental rights and freedoms of individuals are adequately considered and protected when processing of personal data is likely to result in a high risk.”
Although Google did not respond to inquiries regarding the sources of data used for training its generative AI tools, spokesperson Jay Stoll provided a statement indicating, “We take seriously our obligations under the GDPR and will work constructively with the DPC to answer their questions.”