The European Data Protection Board (EDPB) has Issued an Opinion on Certain Data Protection Aspects Related to Processing Personal Data in AI Models.


6 minute read | February.03.2025

The European Data Protection Board (EDPB) has issued an opinion on certain data protection aspects related to processing personal data in AI models. The opinion came after the Irish supervisory authority raised questions to the EDPB related to the anonymity of data in AI models, the appropriateness of legitimate interest as a legal basis and the consequences of unlawfully processing personal data in AI model development.

Zeroing In: The Impact of Downstream Integrators’ Contractual Diligence Obligations

A significant aspect of the EDPB opinion is the detailed exploration of how legitimate interests may serve as a valid legal basis for processing personal data for training AI models. But the opinion offers other valuable insights into the position of the EDPB on the intersection between model training and data protection.

This note focuses on a narrow aspect of the opinion, namely the impact of due diligence obligations that downstream integrators (which could, for instance, include a developer of a text- or image-generating AI system, with a bespoke user interface based on a licensed existing AI model, or a developer of an automatic navigation system based on a licensed existing AI model) have on contracting processes between model developers and downstream integrators. Opinions from the EDPB typically address specific questions or issues raised by supervisory authorities, the European Commission or others. They interpret or clarify aspects of the GDPR. Although they represent a useful source of information and guidance for authorities and organisations subject to oversight, opinions are non-binding and should not be treated as regulatory guidance.

Key Takeaways

  • AI deployers (i.e., companies who integrate AI models) should carry out and document due diligence as part of their accountability obligations under the GDPR.
  • Developers that make models available should document the information and assistance they provide to deployers.
  • Developers and deployers may implement steps that take into account deployers’ due diligence obligations, including as part of their pre-contractual discussions.

Due Diligence of AI Models Deployers

One of the issues addressed in the EDPB opinion is the impact of unlawful data processing during the development of an AI model on the lawfulness of the subsequent processing or operation of that AI model, specifically when the personal data is retained and processed by another controller during deployment.

The opinion discusses the responsibilities that the deployer controller has in that scenario to ensure compliance with the GDPR.

The EDPB emphasizes that the controller must conduct an assessment as part of its GDPR accountability obligations (Articles 5, 6 and 24), the goal of which is to demonstrate that it has evaluated whether the AI model was developed in reliance of unlawfully processed personal data.

The opinion specifies that when investigating the deployment of an AI model, supervisory authorities should consider whether the deploying controller has investigated elements that include:

  • the source of the data used to train the model; and
  • whether the AI model is the result of a legal infringement.

The opinion states: “The degree of the assessment of the controller and the level of detail expected by Supervisory Authorities may vary depending on diverse factors, including the type and degree of risks raised by the processing in the AI model during its deployment in relation to the data subjects whose data was used to develop the model.”

The French data protection authority has also recently issued a reminder of the due diligence that controllers should conduct before reusing publicly available databases.

Steps for AI Model Developers and Deployers to Consider

Developers and deployers should consider the following steps as part of their pre-contractual discussions:

Define the roles of the deployer and the controller in the processing of personal data.

  • The controller deploying the AI model and the controller that developed the AI model should start by characterizing their relationship regarding processing personal data because it will influence the contract terms.
  • If the two parties are acting as joint controllers, their agreement should comply with Article 26 of the GDPR, which requires the parties to allocate their respective responsibilities for complying with the GDPR.

Deployers should obtain pre-contractual information and implement contractual safeguards.

  • Deployers could request access to documentation created by developers in fulfilment of their GDPR obligations, such as data protection impact assessments and legitimate interest assessments, including any updates.
  • Deployers could request strong guarantees in agreements with AI model developers related to the lawfulness of data processing during the development of the AI models.
  • Deployers may also consider requesting uncapped liability and indemnification provisions related to the lawfulness of this data processing. They may want to include requirements regarding the availability of updated and accurate documentation, including documentation model developers subject to the EU AI Act will be required to provide (see below).
  • Extended contractual audit rights are also relevant. That said, supervisory authorities may not consider contractual safeguards as sufficient evidence of compliance with GDPR accountability obligations.

Developers should anticipate deployer requests.

  • Developers of AI models should anticipate requests for information and contractual obligations and seek to control disclosure by proactively making information available and pre-defining access and audit rights.

Developers and deployers should provide additional documentation and transparency from general-purpose AI models developers.

  • Transparency obligations will apply to providers of general-purpose AI models (GPAIMs) under the AI Act.
    • Article 53(1)(b) requires GPAIM provider to share technical information with downstream providers.
    • This includes information on data used for training, testing and validation, where applicable, including the type and provenance of data and curation methodologies.
    • Article 53(1)(d) provides that a detailed summary about the content used to train the GPAIM must be made available by providers of GPAIMs. Pending application of the AI Act, deployers may seek equivalent information from developers of GPAIMs as part of due diligence.
    • Developers of GPAIMs can anticipate the application of the AI Act by preparing documentation that reflects the requirements of the AI Act. Proactive transparency might provide a competitive and strategic advantage, even for developers of models that are not GPAIMs.

Deployers and developers have mutual cooperation obligations.

  • Developers and deployers of AI models should consider including a mutual cooperation obligation to ensure access to relevant information (for instance, relating to risks and incidents).
  • Developers may also wish to be notified of any regulatory investigation that concerns their AI models and to define their role in any such investigation

Developers should track information they make available.

  • Developers of AI models should track the information they make available, including in response to queries from AI model deployers carrying out due diligence.

If you wish to read more on the AI Act, please read our EU AI Act series here. If you have questions, please reach out to the authors (Julia Apostle and Rami Kawkabani).