Ireland’s data protection authorities have launched a probe into Google’s AI model, and whether it complies with GDPR.
The Irish Data Protection Commission (DPC), An Coimisiún um Chosaint Sonraí, is the EU’s lead privacy regulator for Google. The DPC has opened a cross-border statutory inquiry into Google Ireland, under Section 110 of the Data Protection Act 2018.
The regulator is investigating whether Google should have carried out a Data Protection Impact Assessment (DPIA) before processing data belonging to EU and EEA citizens in its foundational AI model, known as Pathways Language Model 2 (PaLM 2).
Cross-border processing is where personal data is processed in more than one member state or is likely to affect citizens in more than one member state.
Ireland’s DPC pointed out that, under Article 35 of the GDPR, data processors should carry out an impact assessment when data processing “is likely to result in a high risk to the rights and freedoms of individuals.”
The regulator added that this is especially important where new technologies are involved. The process needs to ensure data processing “is necessary and proportionate,” and that organizations have put safeguards in place.
Earlier this month, the DPC ended a court case against X (formerly Twitter) after the social media firm said it would limit how it uses personal data from EU citizens to train its AI models.
In June, Meta – which owns Facebook and Instagram – delayed large language model (LLM) training based on public content from the two social media channels, again following a request by Ireland’s DPC. This has delayed the European launch of Meta’s AI assistant, Meta AI.
The social media firm committed to working with the DPC, as well as the UK’s Information Commissioner’s Office (ICO), to address privacy concerns ahead of future AI model training.
Read more about security for LLMs: OWASP Releases Security Checklist for Generative AI Deployment
Image credit: Shaheerrr / Shutterstock.com