Generative AI

Google's Generative AI Under Privacy Scrutiny in Europe

12 September 2024

|

Zaker Adham

Summary

Google's primary privacy regulator in the European Union has launched an investigation to determine if the company has adhered to the bloc's data protection laws concerning the use of personal information for training generative AI models.

The investigation focuses on whether Google was required to conduct a Data Protection Impact Assessment (DPIA) to evaluate the potential risks its AI technologies might pose to the rights and freedoms of individuals whose data was used in model training.

Generative AI tools are known for generating plausible yet false information, and their ability to provide personal data on demand poses significant legal risks. Ireland's Data Protection Commission (DPC), which monitors Google's compliance with the General Data Protection Regulation (GDPR), has the authority to impose fines of up to 4% of Alphabet's (Google's parent company) global annual revenue for any confirmed violations.

Google has developed several generative AI tools, including a suite of large language models (LLMs) branded as Gemini (formerly Bard). These tools power AI chatbots and enhance web search capabilities. The core of these consumer-facing AI tools is Google's Pathways Language Model 2 (PaLM2), introduced at last year's I/O developer conference.

The Irish DPC is investigating how Google developed this foundational AI model under Section 110 of Ireland's Data Protection Act 2018, which incorporates the GDPR into national law.

Training generative AI models requires vast amounts of data, and the types of information acquired, as well as the methods of acquisition, are under increasing scrutiny for legal concerns, including copyright and privacy. Information containing personal data of EU citizens used for AI training must comply with the bloc's data protection rules, regardless of whether it was scraped from the public internet or directly obtained from users.

Several LLM developers, including OpenAI (maker of GPT and ChatGPT) and Meta (developer of the Llama AI model), have faced GDPR-related privacy compliance questions and enforcement actions. Elon Musk's X has also encountered GDPR complaints and legal challenges over its use of personal data for AI training, leading to court proceedings and commitments to limit data processing.

The DPC's DPIA investigation into Google's generative AI is the latest regulatory action in this area.

"The statutory inquiry concerns whether Google has complied with any obligations to undertake an assessment, pursuant to Article 35 of the General Data Protection Regulation (Data Protection Impact Assessment), before processing the personal data of EU/EEA data subjects in developing its foundational AI Model, Pathways Language Model 2 (PaLM2)," the DPC stated in a press release.

The DPC emphasized that a DPIA is crucial for ensuring that the fundamental rights and freedoms of individuals are adequately considered and protected when processing personal data likely to result in high risk.

"This statutory inquiry is part of the DPC's broader efforts, in collaboration with its EU/EEA peer regulators, to regulate the processing of personal data of EU/EEA data subjects in the development of AI models and systems," the DPC added, highlighting ongoing efforts by the bloc's GDPR enforcement network to reach a consensus on applying privacy laws to generative AI tools.

Google did not address questions about the data sources used for training its generative AI tools but stated through spokesman Jay Stoll: "We take our obligations under the GDPR seriously and will work constructively with the DPC to answer their questions."