TL;DR

This newsletter is about how the AI Act and GDPR intersect regarding the use of sensitive data for AI development. It looks what is required under both pieces of legislation, the potential gaps in the legal framework and what steps developers could take regarding compliance.

Here are the key takeaways:

• Under the GDPR, personal data cannot be processed without an appropriate legal basis, of which are provided under Article 6 of the Regulation. Additionally, sensitive personal data cannot be processed unless one of the exceptions listed under Article 9.2 apply.

• The AI Act permits, under Article 10.5, the use of sensitive data for the purposes of bias mitigation regarding the development of AI systems. It states that providers may exceptionally process sensitive data “to the extent strictly necessary for the purpose of ensuring bias detection and correction in relation to the high-risk AI systems.”

• Article 10.5 itself cannot be a legal basis for processing sensitive data for AI development. The provision is written in such a way that entertains the possibility of processing sensitive data for AI development, but only for the purpose of bias mitigation and only if its use meets certain other conditions both under the AI Act and the GDPR.

• Steps that developers can take to help comply with the requirements under the AI Act and GDPR regarding the use of sensitive data for AI development include:

  • Determining whether sensitive data are needed for the development of the AI system

  • Documenting the justifications/explanations for using sensitive data in a record of processing operation

  • Applying data minimisation to the sensitive data