Can data subjects be data controllers?
With the rise of AI trained on user data, the question of whether data subjects be considered data controllers for the personal data in their AI prompts and outputs has once again taken the spotlight. This is not a new issue, the possibility of the data subjects acting as data controllers has been explored as far back as the beginning of modern media and the conclusion has been mostly consistent.
In the report May report of the EDPB’s ChatGPT Taskforce, it is stated that:
“(T)he responsibility for ensuring compliance with GDPR should not be transferred to data subjects, for example by placing a clause in the Terms and Conditions that data subjects are responsible for their chat inputs. Rather, if ChatGPT is made available to the public, it should be assumed that individuals will sooner or later input personal data. If those inputs then become part of the data model and, for example, are shared with anyone asking a specific question, OpenAI remains responsible for complying with the GDPR and should not argue that the input of certain personal data was prohibited in first place.”
The principle of fairness dictates that enterprises should not transfer the risks and responsibilities of the data controller to the data subjects. As such, it would be hard for AI developers and distributors to declare that the users of AI are also data controllers regarding the data they input into the AI.
For more details, please access: https://lnkd.in/eGc6-wB2
CJEU confirms that competitors can sue each other for GDPR infringements
CJEU confirms that competitors can sue each other for GDPR infringements A German pharmacy sued another pharmacy for failing to guarantee explicit consent when processing the health data of the clients as prescribed under GDPR. The German Court held that such activity does amount to unfair and unlawful practice. However, the Court was unsure whether […]
Learn more
EDPB’s Guidelines on Legitimate Intesrest
EDPB’s Guidelines on Legitimate Intesrest Recently, the European Data Protection Board (“EDPB”) adopted Guidelines 01/2024 on processing of personal data based on Article 6(1)(f) GDPR (processing based on legitimate interest). Legitimate interest is one of the lawful grounds on which personal data can be processed. Its flexible nature makes it quite hard to actually apply […]
Learn more
The draft Personal Data Protection Law has officially been released for public consultation
HOT NEWS The draft Personal Data Protection Law has officially been released for public consultation! The draft Personal Data Protection Law has proposed regulations on the protection of personal data and the responsibilities of relevant agencies, organizations, and individuals in protecting personal data. Additionally, the draft Personal Data Protection Law is expected to apply to: […]
Learn more