Europe faces new data protection hurdles in the field of AI

• European Data Protection Board set to issue statement on artificial intelligence in December 
• Bitkom warns of legal uncertainty and further competitive disadvantages in AI development and deployment

Berlin, 10 December 2024 – The deployment and, in particular, the development of artificial intelligence (AI) systems could soon become significantly more challenging in Europe. The digital association Bitkom draws attention to this ahead of a statement expected in the coming days from the European Data Protection Board (EDPB). Current concerns suggest that the forthcoming paper on the tension between AI and data protection may stipulate that the "legitimate interest" provision under the General Data Protection Regulation (GDPR) may only be used as a legal basis for processing personal data for AI training in exceptional cases.

Companies would then need to obtain revocable consent for every individual case, effectively ruling out data protection-compliant AI use. Alternatively, they would have to rely on data anonymization, which is not always technically feasible and poses a significant burden, especially for small and medium-sized enterprises.

"We cannot afford to slam the brakes on AI. Developing and deploying artificial intelligence is vital for our competitiveness and digital sovereignty," says Susanne Dehmel, member of Bitkom's executive board. "It is all the more regrettable that the EDPB has not sought or facilitated a genuine dialogue with industry before making a decision with such far-reaching consequences."

The EDPB brings together national data protection authorities to ensure consistent application of the GDPR across member states. Its opinions, recommendations, and guidelines are not legally binding but serve as guidance for supervisory authorities in EU member states. Moreover, the European Court of Justice and national courts often refer to them. A corresponding statement from the EDPB would, therefore, at the very least, create new legal uncertainty for companies developing and training AI models, as well as for those enriching and fine-tuning existing models with their own data.

Already today, 70% of all companies—and 80% of companies using AI—see data protection breaches as the biggest risk associated with AI use. Additionally, 52% of companies state that data protection requirements hinder the use of AI.

In a recent position paper on data protection in AI development and deployment, Bitkom calls for the legitimate interest of companies in training AI with personal data to be recognized as a sufficient legal basis under the GDPR, provided that the interests of the individuals concerned do not outweigh it. At the same time, clear guidelines for balancing interests with data protection must be established to ensure legal certainty for companies.

Regarding the EDPB, Bitkom advocates for the introduction of binding, mandatory, and transparent consultation procedures to involve businesses at both the national and European levels early on. Only in this way can technical and practical challenges be adequately addressed beyond legal considerations.

"Data protection is a high priority and a fundamental part of our democratic value system. However, we must utilize the options provided by European data protection law and not regularly seek the strictest possible interpretation," says Dehmel. "We are already seeing that certain AI services are not offered in Europe due to legal uncertainty. This also affects citizens who are being cut off from technological advancements."