DPC is launching an investigation into Google’s AI compliance
The Data Protection Commission (DPC), the Irish data protection authority (DPA), announced on Thursday that it has opened a cross-border investigation into Google’s AI model.
Specifically, the EU’s lead privacy regulator wants to know whether Google performed a Data Protection Impact Assessment (DPIA) prior to engaging in the processing of personal data of European data subjects with the development of its foundational AI model, Pathways Language Model 2 (PaLM 2). Google uses this underlying technology, which was launched at last year’s Google I/O Developer Conference, to power AI chatbots like Gemini (previously Bard) and enhance web search.
A Data Protection Impact Assessment or DPIA is a study in which an independent party monitors how a company or organization deals with the processing of personal data. Among other things, it looks at which privacy sensitive data an organization collects, for what purposes it needs this data, how it processes this information and whether the processing of this data outweighs the infringement of privacy.
To a greater or lesser extent, most businesses and organizations process personal data. But not all companies are required to carry out a DPIA.
Article 35 of the General Data Protection Regulation (GDPR), which is the legal basis of the DPIA, states that when the processing of personal data may pose a high risk to the rights and freedoms of data subjects, a DPIA must be carried out. That’s the case, for example, when personal data is systematically collected for the monitoring of a public service, like fraud detection, tax evasion, or camera surveillance.
“A DPIA assessment is a key process for building and demonstrating compliance, which ensures that data controllers identify and mitigate against any data protection risks arising from a type of processing that entails a high risk. It seeks to ensure, among other things, that the processing is necessary and proportionate and that appropriate safeguards are in place in light of the risks,” the DPC explains in a press release.
“We take seriously our obligations under the GDPR and will work constructively with the DPC to answer their questions,” a Google spokesperson told TechCrunch in an emailed statement.
The DPC's investigation is part of a broader investigation in which European privacy regulators are looking at the processing of personal data for the development of AI models.
Last week, social media platform X agreed not to train its AI tool Grok using the personal data collected from European users before the company introduced an option to withdraw their consent. The decision followed after a court proceeding, in which the judge ordered X to limit its data processing in the EU.
Your email address will not be published. Required fields are marked