SlideShare a Scribd company logo

Generative AI, Search Engines and GDPR

Download as PPTX, PDF
David Erdos
David Erdos

These slides explore the interface between generative AI services such as ChatGPT and Google Bard and the GDPR in light of the experience of search engine indexing under the EU framework. In contrast to search engines, EU data protection authorities have responded promptly to the emergence of generative AI and, in principle, have stressed the need for full data protection compliance. However, in reality a host of legal problems remain live including an absence of a clear legal basis at least for sensitive personal data, uncertainty about whether data quality standards and data subject rights at least as regards background processing are or even can be met and failures of transparency as regards the categories, sources and storage periods for the personal data under processing. There is a serious likelihood, and indeed even present indications, that generative AI services will seek to claim the extra- and even contra-legislative derogations crafted in case law for search engines which limit duties to situations where processing is liable to affect fundamental rights “significantly and additionally” and to actions which are deemed to fall within the “responsibilities, powers and capabilities” of the service operators. Such derogations grant operators too much discretion and pay insufficient attention to the highly active manner in which generative AI services process personal data.

Law
1 of 12
Professor David Erdos Faculty of Law University of Cambridge
Search Indexing & European DP: Timeline  Mid-1980s – mid-1990s: Early concerns & some regulation even of news archive searches  Late-1990s-2000s: Search engines largely seen as “out of reach”; some focus on limiting exposure e.g. no robots  2007/8 onwards: Spanish DPA (with some wider support) sees engines as at least ex post controllers  2014-present: CJEU in Google Spain supports core Spanish position; working out of reach & limitations
Generative AI & DP: Timeline  Early 2023: Mass spread of generative AI including in form of chatbots like Open AI ChatGPT & Google Bard  March-July 2023: Investigations including temporary ban on ChatGPT in Italy; EDPB creates Taskforce  June 2023: G7 DPA Statement on Generative AI  October 2023: GPA Resolution on Generative AI Systems “current law applies to generative AI products and users, even as different jurisdictions continue to develop AI-specific laws and policies”
Generative AI & DP: Unclear Realities  Legal Basis? - Other than “legitimate interest” (which is always insufficient for special category data)  Categories of Personal Data and Sources?  Storage Periods?  Accuracy/Data Quality? - “Bard .. sometimes gives inaccurate or inappropriate results”  Subject Rights? - “we may not be able to correct the accuracy … [i]n that case, you may request that we remove your Personal Data from ChatGPT’s output”
Can/are Search Engine Limits Relied Upon? “Inasmuch as the activity of a search engine is … liable to affect significantly and additionally compared with that of the publishers of websites, the fundamental rights to privacy and to the protection of personal data, the operator of the search engine … must ensure, within the framework of its responsibilities, powers and capabilities, that the activity meets the requirements of Directive 95/46 in order that the guarantees laid down may have full effect and that effective and complete protection of data subjects, in particular of the right to privacy, may actually be achieved.” (Google Spain (2014) at [38])  GC et. al (2019): Freedom of expression/information can be invoked (although journalistic derogation not applicable)
Substantive Freedom of Expression Limits  Sensitive Data – GC et. al. (2019):  Accuracy - TU, RE v Google (2022): “[T]he operator must … ascertain, having regard to the reasons of substantial public interest referred to in … Article 9(2)(g) of Regulation 2016/679 and in compliance with conditions laid down in those provisions, whether the inclusion of that link in the list of results displayed following a search on the basis of the data subject’s name is strictly necessary for protecting the freedom of information of internet users” (at [68]) “where, at the very least, a part – which is not minor in relation to the content as a whole – of the information referred to in the request for de- referencing proves to be inaccurate… the right to inform and the right to be informed cannot be taken into account.” (at [64])
ChatGPT Removal Form
Responsibility Limitations: TU, RE (2022)  Only Ex Post:  Without Active Investigatory Duties: “the prohibitions and restrictions laid down by … the GDPR can apply to that operator only by reason of that referencing and thus via a verification, under the supervision of the competent national authorities, on the basis of a request by the data subject.” (at [53]) “operator cannot be required to play an active role in trying to find facts which are not substantiated by the request for de-referencing.” (at [70])
Relevant Generative AI Experience to Date  DP By Design & DP Impact Assessments - stressed by DPAs and strongly ex ante not ex post in nature  Proactive Transparency – also stressed, including by Italian DPA which required Open AI to carry out active information campaign  Rectification – ChatGPT states can’t always be carried out  Restriction – Not mentioned (and burden of proof re accuracy remains unclear)  All processing or just results? – Specification of rights for non- users generally focus only on latter
Significant & Additional Rights Risk Limits  CJEU has always expressed conceptually  EDPB (2020) only states right “mainly based” on name search  Italian DPA (2019) applied right to search on a job title  But Google resolutely limits right to name-search only “the operator of a search engine is responsible … because of the referencing of that page and in particular the display of the link to that web page in the list of results presented to internet users following a search on the basis of an individual’s name, since such a display of the link in such a list is liable significantly to affect the data subject’s fundamental rights”
Relevant Generative AI Experience to Date  Chat GPT talks in Removal Form about “prompts” (although unclear if it sees some prompts as too remote for any action)  Also states that “our training information does incidentally include personal information” & no clear route given for access or control rights regarding this (although is under DPA examination)
Taking Stock  Even within the EU, search engine indexing benefits from far-reaching exemptions from data protection  Exemptions enable a balance to be achieved with innovation, freedom of information etc. but are in essence extra- (& often contra-) legislative & grant operators great (& often disproportionate) discretion  Generative AI services act even less as an intermediary and process personal data in an even more active manner  Should seek a better way than this to ensure a balance between Generative AI products and data protection

Recommended

Introduction to Biometric lectures... Prepared by Dr.Abbas
Introduction to Biometric lectures... Prepared by Dr.AbbasIntroduction to Biometric lectures... Prepared by Dr.Abbas
Introduction to Biometric lectures... Prepared by Dr.AbbasBasra University, Iraq
 
ISO 27701
ISO 27701ISO 27701
ISO 27701UtkarshDhiman4
 
GDPR Presentation
GDPR PresentationGDPR Presentation
GDPR PresentationCILIP Ireland
 
UK GDPR: What New Direction?
UK GDPR: What New Direction?UK GDPR: What New Direction?
UK GDPR: What New Direction?David Erdos
 
Investigation of a cyber crime
Investigation of a cyber crimeInvestigation of a cyber crime
Investigation of a cyber crimeatuljaybhaye
 
Isms awareness training
Isms awareness trainingIsms awareness training
Isms awareness trainingSAROJ BEHERA
 
Iot
IotIot
Iot91231501
 
The 5 security awareness training generations [CARTOON]
The 5 security awareness training generations [CARTOON]The 5 security awareness training generations [CARTOON]
The 5 security awareness training generations [CARTOON]Stu Sjouwerman
 

Recommended

Introduction to Biometric lectures... Prepared by Dr.Abbas
Introduction to Biometric lectures... Prepared by Dr.AbbasIntroduction to Biometric lectures... Prepared by Dr.Abbas
Introduction to Biometric lectures... Prepared by Dr.AbbasBasra University, Iraq
 
ISO 27701
ISO 27701ISO 27701
ISO 27701UtkarshDhiman4
 
GDPR Presentation
GDPR PresentationGDPR Presentation
GDPR PresentationCILIP Ireland
 
UK GDPR: What New Direction?
UK GDPR: What New Direction?UK GDPR: What New Direction?
UK GDPR: What New Direction?David Erdos
 
Investigation of a cyber crime
Investigation of a cyber crimeInvestigation of a cyber crime
Investigation of a cyber crimeatuljaybhaye
 
Isms awareness training
Isms awareness trainingIsms awareness training
Isms awareness trainingSAROJ BEHERA
 
Iot
IotIot
Iot91231501
 
The 5 security awareness training generations [CARTOON]
The 5 security awareness training generations [CARTOON]The 5 security awareness training generations [CARTOON]
The 5 security awareness training generations [CARTOON]Stu Sjouwerman
 
CISA-Certificate (1)
CISA-Certificate (1)CISA-Certificate (1)
CISA-Certificate (1)Chandra Gangadharan
 
BBA FINAL TRANSCRIPT OFFICIAL
BBA FINAL TRANSCRIPT OFFICIALBBA FINAL TRANSCRIPT OFFICIAL
BBA FINAL TRANSCRIPT OFFICIALMark Breland
 
Information and Technology Act
Information and Technology ActInformation and Technology Act
Information and Technology ActApplied Forensic Research Sciences
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPRDipanjanDey12
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationVicky Dallas
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR The Pathway Group
 
Iot forensics
Iot forensicsIot forensics
Iot forensicsAbeis Ab
 
GDPR for Dummies
GDPR for DummiesGDPR for Dummies
GDPR for DummiesCaroline Boscher
 
Augmented Reality
Augmented RealityAugmented Reality
Augmented Realityrojalina nanda
 
Virtual reality report
Virtual reality reportVirtual reality report
Virtual reality reportSujeet Kumar
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC ConsultingTư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC ConsultingNguyễn Đăng Quang
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyControlCase
 
Practical introduction to IoT
Practical introduction to IoTPractical introduction to IoT
Practical introduction to IoTpekkanikander
 
First Certificate in English (Lower)
First Certificate in English (Lower)First Certificate in English (Lower)
First Certificate in English (Lower)Panagiotis Chourmouzis
 
Biometrics overview ppt
Biometrics overview pptBiometrics overview ppt
Biometrics overview pptamee yaami
 
Introduction To Biometrics
Introduction To BiometricsIntroduction To Biometrics
Introduction To BiometricsAbdul Rehman
 
Information technology act, 2000
Information technology act, 2000Information technology act, 2000
Information technology act, 2000Prateek Sinha
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Resilient Systems
 
Augmented reality
Augmented realityAugmented reality
Augmented realityShubham Pahune
 
Google Spain and its Aftermath 2014-2023: An EU and UK GDPR Perspective
Google Spain and its Aftermath 2014-2023: An EU and UK GDPR PerspectiveGoogle Spain and its Aftermath 2014-2023: An EU and UK GDPR Perspective
Google Spain and its Aftermath 2014-2023: An EU and UK GDPR PerspectiveDavid Erdos
 
European Data Protection, the Right to be Forgotten and Search Engines
European Data Protection, the Right to be Forgotten and Search EnginesEuropean Data Protection, the Right to be Forgotten and Search Engines
European Data Protection, the Right to be Forgotten and Search EnginesDavid Erdos
 

More Related Content

What's hot

BBA FINAL TRANSCRIPT OFFICIAL
BBA FINAL TRANSCRIPT OFFICIALBBA FINAL TRANSCRIPT OFFICIAL
BBA FINAL TRANSCRIPT OFFICIALMark Breland
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPRDipanjanDey12
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationVicky Dallas
 
Iot forensics
Iot forensicsIot forensics
Iot forensicsAbeis Ab
 
Virtual reality report
Virtual reality reportVirtual reality report
Virtual reality reportSujeet Kumar
 
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC ConsultingTư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC ConsultingNguyễn Đăng Quang
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyControlCase
 
Practical introduction to IoT
Practical introduction to IoTPractical introduction to IoT
Practical introduction to IoTpekkanikander
 
Biometrics overview ppt
Biometrics overview pptBiometrics overview ppt
Biometrics overview pptamee yaami
 
Introduction To Biometrics
Introduction To BiometricsIntroduction To Biometrics
Introduction To BiometricsAbdul Rehman
 
Information technology act, 2000
Information technology act, 2000Information technology act, 2000
Information technology act, 2000Prateek Sinha
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Resilient Systems
 

What's hot (20)

CISA-Certificate (1)
CISA-Certificate (1)CISA-Certificate (1)
CISA-Certificate (1)
 
BBA FINAL TRANSCRIPT OFFICIAL
BBA FINAL TRANSCRIPT OFFICIALBBA FINAL TRANSCRIPT OFFICIAL
BBA FINAL TRANSCRIPT OFFICIAL
 
Information and Technology Act
Information and Technology ActInformation and Technology Act
Information and Technology Act
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPR
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection Regulation
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
 
Iot forensics
Iot forensicsIot forensics
Iot forensics
 
GDPR for Dummies
GDPR for DummiesGDPR for Dummies
GDPR for Dummies
 
Augmented Reality
Augmented RealityAugmented Reality
Augmented Reality
 
Virtual reality report
Virtual reality reportVirtual reality report
Virtual reality report
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
 
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC ConsultingTư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of Privacy
 
Practical introduction to IoT
Practical introduction to IoTPractical introduction to IoT
Practical introduction to IoT
 
First Certificate in English (Lower)
First Certificate in English (Lower)First Certificate in English (Lower)
First Certificate in English (Lower)
 
Biometrics overview ppt
Biometrics overview pptBiometrics overview ppt
Biometrics overview ppt
 
Introduction To Biometrics
Introduction To BiometricsIntroduction To Biometrics
Introduction To Biometrics
 
Information technology act, 2000
Information technology act, 2000Information technology act, 2000
Information technology act, 2000
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)
 
Augmented reality
Augmented realityAugmented reality
Augmented reality
 

Similar to Generative AI, Search Engines and GDPR

Google Spain and its Aftermath 2014-2023: An EU and UK GDPR Perspective
Google Spain and its Aftermath 2014-2023: An EU and UK GDPR PerspectiveGoogle Spain and its Aftermath 2014-2023: An EU and UK GDPR Perspective
Google Spain and its Aftermath 2014-2023: An EU and UK GDPR PerspectiveDavid Erdos
 
European Data Protection, the Right to be Forgotten and Search Engines
European Data Protection, the Right to be Forgotten and Search EnginesEuropean Data Protection, the Right to be Forgotten and Search Engines
European Data Protection, the Right to be Forgotten and Search EnginesDavid Erdos
 
New Media Internet Expression and European Data Protection
New Media Internet Expression and European Data ProtectionNew Media Internet Expression and European Data Protection
New Media Internet Expression and European Data ProtectionDavid Erdos
 
EU Guidelines On The Right To Be Forgotten Implementation November 2014
EU Guidelines On The Right To Be Forgotten Implementation November 2014EU Guidelines On The Right To Be Forgotten Implementation November 2014
EU Guidelines On The Right To Be Forgotten Implementation November 2014Krishna De
 
Guidelines on the implementation of the Court of Justice of the European Union
Guidelines on the implementation of the Court of Justice of the European UnionGuidelines on the implementation of the Court of Justice of the European Union
Guidelines on the implementation of the Court of Justice of the European UnionSilesia SEM
 
Deck for Chardan conference call on ePrivacy and GDPR
Deck for Chardan conference call on ePrivacy and GDPR Deck for Chardan conference call on ePrivacy and GDPR
Deck for Chardan conference call on ePrivacy and GDPR Johnny Ryan
 
Slave to the Algo-Rhythms?
Slave to the Algo-Rhythms?Slave to the Algo-Rhythms?
Slave to the Algo-Rhythms?Lilian Edwards
 
Understanding gdpr compliance gdpr analytics tools
Understanding gdpr compliance gdpr analytics toolsUnderstanding gdpr compliance gdpr analytics tools
Understanding gdpr compliance gdpr analytics toolsRominaMariaBaltariu
 
Steve Wood Generative AI and Data Protection Asia Privacy Bridge October 202...
Steve Wood Generative AI and Data Protection Asia Privacy Bridge October 202...Steve Wood Generative AI and Data Protection Asia Privacy Bridge October 202...
Steve Wood Generative AI and Data Protection Asia Privacy Bridge October 202...stevewood900540
 
TrustArc Webinar-Advertising, Privacy, and Data Management Working Together
TrustArc Webinar-Advertising, Privacy, and Data Management Working TogetherTrustArc Webinar-Advertising, Privacy, and Data Management Working Together
TrustArc Webinar-Advertising, Privacy, and Data Management Working TogetherTrustArc
 
GDPR - Australian perspective - the challenge, the opportunity and your duty
GDPR - Australian perspective - the challenge, the opportunity and your duty GDPR - Australian perspective - the challenge, the opportunity and your duty
GDPR - Australian perspective - the challenge, the opportunity and your duty Jakub Otrząsek
 
Brendan Eich's letter to Senator Thune and Senator Nelson, Senate Committee o...
Brendan Eich's letter to Senator Thune and Senator Nelson, Senate Committee o...Brendan Eich's letter to Senator Thune and Senator Nelson, Senate Committee o...
Brendan Eich's letter to Senator Thune and Senator Nelson, Senate Committee o...Johnny Ryan
 
The Right To Be Forgotten in the Google Spain Case (case C-131/12): A Clear V...
The Right To Be Forgotten in the Google Spain Case (case C-131/12): A Clear V...The Right To Be Forgotten in the Google Spain Case (case C-131/12): A Clear V...
The Right To Be Forgotten in the Google Spain Case (case C-131/12): A Clear V...ioannis iglezakis
 
IAB Europe GIG: Working Paper on Controller - Processor Criteria (reupload)
IAB Europe GIG: Working Paper on Controller - Processor Criteria (reupload) IAB Europe GIG: Working Paper on Controller - Processor Criteria (reupload)
IAB Europe GIG: Working Paper on Controller - Processor Criteria (reupload)IAB Europe
 
Cookies, FLoC & GDPR: Marketing Impact
Cookies, FLoC & GDPR: Marketing ImpactCookies, FLoC & GDPR: Marketing Impact
Cookies, FLoC & GDPR: Marketing ImpactCMassociates
 
RTC Google Knowledge Graph POV June 2012
RTC Google Knowledge Graph POV June 2012RTC Google Knowledge Graph POV June 2012
RTC Google Knowledge Graph POV June 2012RTC
 
GDPR ed Explainable AI - Intelligenza Artificiale e Regolamento Europeo sulla...
GDPR ed Explainable AI - Intelligenza Artificiale e Regolamento Europeo sulla...GDPR ed Explainable AI - Intelligenza Artificiale e Regolamento Europeo sulla...
GDPR ed Explainable AI - Intelligenza Artificiale e Regolamento Europeo sulla...Pietro Calorio
 
Policy Brief : Can the GDPR help SMEs innovate for older adults in Europe?
Policy Brief : Can the GDPR help SMEs innovate for older adults in Europe?Policy Brief : Can the GDPR help SMEs innovate for older adults in Europe?
Policy Brief : Can the GDPR help SMEs innovate for older adults in Europe?Mobile Age Project
 

Similar to Generative AI, Search Engines and GDPR (20)

Google Spain and its Aftermath 2014-2023: An EU and UK GDPR Perspective
Google Spain and its Aftermath 2014-2023: An EU and UK GDPR PerspectiveGoogle Spain and its Aftermath 2014-2023: An EU and UK GDPR Perspective
Google Spain and its Aftermath 2014-2023: An EU and UK GDPR Perspective
 
European Data Protection, the Right to be Forgotten and Search Engines
European Data Protection, the Right to be Forgotten and Search EnginesEuropean Data Protection, the Right to be Forgotten and Search Engines
European Data Protection, the Right to be Forgotten and Search Engines
 
New Media Internet Expression and European Data Protection
New Media Internet Expression and European Data ProtectionNew Media Internet Expression and European Data Protection
New Media Internet Expression and European Data Protection
 
EU Guidelines On The Right To Be Forgotten Implementation November 2014
EU Guidelines On The Right To Be Forgotten Implementation November 2014EU Guidelines On The Right To Be Forgotten Implementation November 2014
EU Guidelines On The Right To Be Forgotten Implementation November 2014
 
Guidelines on the implementation of the Court of Justice of the European Union
Guidelines on the implementation of the Court of Justice of the European UnionGuidelines on the implementation of the Court of Justice of the European Union
Guidelines on the implementation of the Court of Justice of the European Union
 
Eu rtbf criteria
Eu rtbf criteriaEu rtbf criteria
Eu rtbf criteria
 
Deck for Chardan conference call on ePrivacy and GDPR
Deck for Chardan conference call on ePrivacy and GDPR Deck for Chardan conference call on ePrivacy and GDPR
Deck for Chardan conference call on ePrivacy and GDPR
 
Slave to the Algo-Rhythms?
Slave to the Algo-Rhythms?Slave to the Algo-Rhythms?
Slave to the Algo-Rhythms?
 
Understanding gdpr compliance gdpr analytics tools
Understanding gdpr compliance gdpr analytics toolsUnderstanding gdpr compliance gdpr analytics tools
Understanding gdpr compliance gdpr analytics tools
 
Steve Wood Generative AI and Data Protection Asia Privacy Bridge October 202...
Steve Wood Generative AI and Data Protection Asia Privacy Bridge October 202...Steve Wood Generative AI and Data Protection Asia Privacy Bridge October 202...
Steve Wood Generative AI and Data Protection Asia Privacy Bridge October 202...
 
TrustArc Webinar-Advertising, Privacy, and Data Management Working Together
TrustArc Webinar-Advertising, Privacy, and Data Management Working TogetherTrustArc Webinar-Advertising, Privacy, and Data Management Working Together
TrustArc Webinar-Advertising, Privacy, and Data Management Working Together
 
GDPR - Australian perspective - the challenge, the opportunity and your duty
GDPR - Australian perspective - the challenge, the opportunity and your duty GDPR - Australian perspective - the challenge, the opportunity and your duty
GDPR - Australian perspective - the challenge, the opportunity and your duty
 
Brendan Eich's letter to Senator Thune and Senator Nelson, Senate Committee o...
Brendan Eich's letter to Senator Thune and Senator Nelson, Senate Committee o...Brendan Eich's letter to Senator Thune and Senator Nelson, Senate Committee o...
Brendan Eich's letter to Senator Thune and Senator Nelson, Senate Committee o...
 
The Right To Be Forgotten in the Google Spain Case (case C-131/12): A Clear V...
The Right To Be Forgotten in the Google Spain Case (case C-131/12): A Clear V...The Right To Be Forgotten in the Google Spain Case (case C-131/12): A Clear V...
The Right To Be Forgotten in the Google Spain Case (case C-131/12): A Clear V...
 
IAB Europe GIG: Working Paper on Controller - Processor Criteria (reupload)
IAB Europe GIG: Working Paper on Controller - Processor Criteria (reupload) IAB Europe GIG: Working Paper on Controller - Processor Criteria (reupload)
IAB Europe GIG: Working Paper on Controller - Processor Criteria (reupload)
 
Cookies, FLoC & GDPR: Marketing Impact
Cookies, FLoC & GDPR: Marketing ImpactCookies, FLoC & GDPR: Marketing Impact
Cookies, FLoC & GDPR: Marketing Impact
 
Trials and experiments in competition and regulation – Francesco Decarolis – ...
Trials and experiments in competition and regulation – Francesco Decarolis – ...Trials and experiments in competition and regulation – Francesco Decarolis – ...
Trials and experiments in competition and regulation – Francesco Decarolis – ...
 
RTC Google Knowledge Graph POV June 2012
RTC Google Knowledge Graph POV June 2012RTC Google Knowledge Graph POV June 2012
RTC Google Knowledge Graph POV June 2012
 
GDPR ed Explainable AI - Intelligenza Artificiale e Regolamento Europeo sulla...
GDPR ed Explainable AI - Intelligenza Artificiale e Regolamento Europeo sulla...GDPR ed Explainable AI - Intelligenza Artificiale e Regolamento Europeo sulla...
GDPR ed Explainable AI - Intelligenza Artificiale e Regolamento Europeo sulla...
 
Policy Brief : Can the GDPR help SMEs innovate for older adults in Europe?
Policy Brief : Can the GDPR help SMEs innovate for older adults in Europe?Policy Brief : Can the GDPR help SMEs innovate for older adults in Europe?
Policy Brief : Can the GDPR help SMEs innovate for older adults in Europe?
 

More from David Erdos

Regulatory Enforcement of UK Data Protection
Regulatory Enforcement of UK Data ProtectionRegulatory Enforcement of UK Data Protection
Regulatory Enforcement of UK Data ProtectionDavid Erdos
 
The Brexit Isles Alter Ego? Revisiting Ireland's Commonwealth Exit 1948-49
The Brexit Isles Alter Ego? Revisiting Ireland's Commonwealth Exit 1948-49The Brexit Isles Alter Ego? Revisiting Ireland's Commonwealth Exit 1948-49
The Brexit Isles Alter Ego? Revisiting Ireland's Commonwealth Exit 1948-49David Erdos
 
Data Protection Post-Brexit: Can the UK Craft a Credible New Approach?
Data Protection Post-Brexit: Can the UK Craft a Credible New Approach?Data Protection Post-Brexit: Can the UK Craft a Credible New Approach?
Data Protection Post-Brexit: Can the UK Craft a Credible New Approach?David Erdos
 
The GDPR and Journalism: Enforcement and Beyond
The GDPR and Journalism: Enforcement and BeyondThe GDPR and Journalism: Enforcement and Beyond
The GDPR and Journalism: Enforcement and BeyondDavid Erdos
 
Data Protection and Journalism: The Changing Landscape
Data Protection and Journalism: The Changing LandscapeData Protection and Journalism: The Changing Landscape
Data Protection and Journalism: The Changing LandscapeDavid Erdos
 
Constitutional Privacy and Data Protection in the EU
Constitutional Privacy and Data Protection in the EUConstitutional Privacy and Data Protection in the EU
Constitutional Privacy and Data Protection in the EUDavid Erdos
 
The UK and EU Personal Data Regime After Brexit: Another Switzerland?
The UK and EU Personal Data Regime After Brexit: Another Switzerland?The UK and EU Personal Data Regime After Brexit: Another Switzerland?
The UK and EU Personal Data Regime After Brexit: Another Switzerland?David Erdos
 
Dead Ringers? Legal Persons & the Deceased in European Data Protection Law
Dead Ringers? Legal Persons & the Deceased in European Data Protection LawDead Ringers? Legal Persons & the Deceased in European Data Protection Law
Dead Ringers? Legal Persons & the Deceased in European Data Protection LawDavid Erdos
 
Disclosure, Exposure and the "Right to be Forgotten" After Google Spain
Disclosure, Exposure and the "Right to be Forgotten" After Google SpainDisclosure, Exposure and the "Right to be Forgotten" After Google Spain
Disclosure, Exposure and the "Right to be Forgotten" After Google SpainDavid Erdos
 
Comparing EU and Council of Europe Data Protection Standards in the Context o...
Comparing EU and Council of Europe Data Protection Standards in the Context o...Comparing EU and Council of Europe Data Protection Standards in the Context o...
Comparing EU and Council of Europe Data Protection Standards in the Context o...David Erdos
 
Data Protection and "Intermediary" Responsibility: An Historical Perspective
Data Protection and "Intermediary" Responsibility: An Historical PerspectiveData Protection and "Intermediary" Responsibility: An Historical Perspective
Data Protection and "Intermediary" Responsibility: An Historical PerspectiveDavid Erdos
 
European Data Protection and Social Networking
European Data Protection and Social NetworkingEuropean Data Protection and Social Networking
European Data Protection and Social NetworkingDavid Erdos
 
UK & EU Freedom of Information & Data Protection: Continuity & Change
UK & EU Freedom of Information & Data Protection: Continuity & ChangeUK & EU Freedom of Information & Data Protection: Continuity & Change
UK & EU Freedom of Information & Data Protection: Continuity & ChangeDavid Erdos
 
GDPR, DPAs and the Journalistic Media: Walking the Regulatory Tightrope
GDPR, DPAs and the Journalistic Media: Walking the Regulatory TightropeGDPR, DPAs and the Journalistic Media: Walking the Regulatory Tightrope
GDPR, DPAs and the Journalistic Media: Walking the Regulatory TightropeDavid Erdos
 
Data Protection and Academia: Fundamental Rights in Conflict
Data Protection and Academia: Fundamental Rights in ConflictData Protection and Academia: Fundamental Rights in Conflict
Data Protection and Academia: Fundamental Rights in ConflictDavid Erdos
 
Data Protection and Academic Research: The New GDPR Framework
Data Protection and Academic Research: The New GDPR FrameworkData Protection and Academic Research: The New GDPR Framework
Data Protection and Academic Research: The New GDPR FrameworkDavid Erdos
 
Reconciling Humanities and Social Science Research With Data Protection
Reconciling Humanities and Social Science Research With Data ProtectionReconciling Humanities and Social Science Research With Data Protection
Reconciling Humanities and Social Science Research With Data ProtectionDavid Erdos
 
Regulation of Medical Research under European Data Protection
Regulation of Medical Research under European Data ProtectionRegulation of Medical Research under European Data Protection
Regulation of Medical Research under European Data ProtectionDavid Erdos
 
EU General Data Protection Regulation & Transborder Information Flow
EU General Data Protection Regulation & Transborder Information FlowEU General Data Protection Regulation & Transborder Information Flow
EU General Data Protection Regulation & Transborder Information FlowDavid Erdos
 

More from David Erdos (19)

Regulatory Enforcement of UK Data Protection
Regulatory Enforcement of UK Data ProtectionRegulatory Enforcement of UK Data Protection
Regulatory Enforcement of UK Data Protection
 
The Brexit Isles Alter Ego? Revisiting Ireland's Commonwealth Exit 1948-49
The Brexit Isles Alter Ego? Revisiting Ireland's Commonwealth Exit 1948-49The Brexit Isles Alter Ego? Revisiting Ireland's Commonwealth Exit 1948-49
The Brexit Isles Alter Ego? Revisiting Ireland's Commonwealth Exit 1948-49
 
Data Protection Post-Brexit: Can the UK Craft a Credible New Approach?
Data Protection Post-Brexit: Can the UK Craft a Credible New Approach?Data Protection Post-Brexit: Can the UK Craft a Credible New Approach?
Data Protection Post-Brexit: Can the UK Craft a Credible New Approach?
 
The GDPR and Journalism: Enforcement and Beyond
The GDPR and Journalism: Enforcement and BeyondThe GDPR and Journalism: Enforcement and Beyond
The GDPR and Journalism: Enforcement and Beyond
 
Data Protection and Journalism: The Changing Landscape
Data Protection and Journalism: The Changing LandscapeData Protection and Journalism: The Changing Landscape
Data Protection and Journalism: The Changing Landscape
 
Constitutional Privacy and Data Protection in the EU
Constitutional Privacy and Data Protection in the EUConstitutional Privacy and Data Protection in the EU
Constitutional Privacy and Data Protection in the EU
 
The UK and EU Personal Data Regime After Brexit: Another Switzerland?
The UK and EU Personal Data Regime After Brexit: Another Switzerland?The UK and EU Personal Data Regime After Brexit: Another Switzerland?
The UK and EU Personal Data Regime After Brexit: Another Switzerland?
 
Dead Ringers? Legal Persons & the Deceased in European Data Protection Law
Dead Ringers? Legal Persons & the Deceased in European Data Protection LawDead Ringers? Legal Persons & the Deceased in European Data Protection Law
Dead Ringers? Legal Persons & the Deceased in European Data Protection Law
 
Disclosure, Exposure and the "Right to be Forgotten" After Google Spain
Disclosure, Exposure and the "Right to be Forgotten" After Google SpainDisclosure, Exposure and the "Right to be Forgotten" After Google Spain
Disclosure, Exposure and the "Right to be Forgotten" After Google Spain
 
Comparing EU and Council of Europe Data Protection Standards in the Context o...
Comparing EU and Council of Europe Data Protection Standards in the Context o...Comparing EU and Council of Europe Data Protection Standards in the Context o...
Comparing EU and Council of Europe Data Protection Standards in the Context o...
 
Data Protection and "Intermediary" Responsibility: An Historical Perspective
Data Protection and "Intermediary" Responsibility: An Historical PerspectiveData Protection and "Intermediary" Responsibility: An Historical Perspective
Data Protection and "Intermediary" Responsibility: An Historical Perspective
 
European Data Protection and Social Networking
European Data Protection and Social NetworkingEuropean Data Protection and Social Networking
European Data Protection and Social Networking
 
UK & EU Freedom of Information & Data Protection: Continuity & Change
UK & EU Freedom of Information & Data Protection: Continuity & ChangeUK & EU Freedom of Information & Data Protection: Continuity & Change
UK & EU Freedom of Information & Data Protection: Continuity & Change
 
GDPR, DPAs and the Journalistic Media: Walking the Regulatory Tightrope
GDPR, DPAs and the Journalistic Media: Walking the Regulatory TightropeGDPR, DPAs and the Journalistic Media: Walking the Regulatory Tightrope
GDPR, DPAs and the Journalistic Media: Walking the Regulatory Tightrope
 
Data Protection and Academia: Fundamental Rights in Conflict
Data Protection and Academia: Fundamental Rights in ConflictData Protection and Academia: Fundamental Rights in Conflict
Data Protection and Academia: Fundamental Rights in Conflict
 
Data Protection and Academic Research: The New GDPR Framework
Data Protection and Academic Research: The New GDPR FrameworkData Protection and Academic Research: The New GDPR Framework
Data Protection and Academic Research: The New GDPR Framework
 
Reconciling Humanities and Social Science Research With Data Protection
Reconciling Humanities and Social Science Research With Data ProtectionReconciling Humanities and Social Science Research With Data Protection
Reconciling Humanities and Social Science Research With Data Protection
 
Regulation of Medical Research under European Data Protection
Regulation of Medical Research under European Data ProtectionRegulation of Medical Research under European Data Protection
Regulation of Medical Research under European Data Protection
 
EU General Data Protection Regulation & Transborder Information Flow
EU General Data Protection Regulation & Transborder Information FlowEU General Data Protection Regulation & Transborder Information Flow
EU General Data Protection Regulation & Transborder Information Flow
 

Recently uploaded

如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书FS LS
 
An Introduction guidance of the European Union Law 2020_EU Seminar 4.pptx
An Introduction guidance of the European Union Law 2020_EU Seminar 4.pptxAn Introduction guidance of the European Union Law 2020_EU Seminar 4.pptx
An Introduction guidance of the European Union Law 2020_EU Seminar 4.pptxKUHANARASARATNAM1
 
如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书
如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书
如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书SD DS
 
Constitutional Values & Fundamental Principles of the ConstitutionPPT.pptx
Constitutional Values & Fundamental Principles of the ConstitutionPPT.pptxConstitutional Values & Fundamental Principles of the ConstitutionPPT.pptx
Constitutional Values & Fundamental Principles of the ConstitutionPPT.pptxsrikarna235
 
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝soniya singh
 
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书Fir L
 
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书Fs Las
 
Comparison of GenAI benchmarking models for legal use cases
Comparison of GenAI benchmarking models for legal use casesComparison of GenAI benchmarking models for legal use cases
Comparison of GenAI benchmarking models for legal use casesritwikv20
 
Arbitration, mediation and conciliation in India
Arbitration, mediation and conciliation in IndiaArbitration, mediation and conciliation in India
Arbitration, mediation and conciliation in IndiaNafiaNazim
 
如何办理(UCD毕业证书)加州大学戴维斯分校毕业证学位证书
如何办理(UCD毕业证书)加州大学戴维斯分校毕业证学位证书如何办理(UCD毕业证书)加州大学戴维斯分校毕业证学位证书
如何办理(UCD毕业证书)加州大学戴维斯分校毕业证学位证书SD DS
 
POLICE ACT, 1861 the details about police system.pptx
POLICE ACT, 1861 the details about police system.pptxPOLICE ACT, 1861 the details about police system.pptx
POLICE ACT, 1861 the details about police system.pptxAbhishekchatterjee248859
 
John Hustaix - The Legal Profession: A History
John Hustaix - The Legal Profession: A HistoryJohn Hustaix - The Legal Profession: A History
John Hustaix - The Legal Profession: A HistoryJohn Hustaix
 
Good Governance Practices for protection of Human Rights (Discuss Transparen...
Good Governance Practices for protection of Human Rights (Discuss Transparen...Good Governance Practices for protection of Human Rights (Discuss Transparen...
Good Governance Practices for protection of Human Rights (Discuss Transparen...shubhuc963
 
如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书
如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书
如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书FS LS
 
Key Factors That Influence Property Tax Rates
Key Factors That Influence Property Tax RatesKey Factors That Influence Property Tax Rates
Key Factors That Influence Property Tax RatesHome Tax Saver
 
如何办理澳洲南澳大学(UniSA)毕业证学位证书
如何办理澳洲南澳大学(UniSA)毕业证学位证书如何办理澳洲南澳大学(UniSA)毕业证学位证书
如何办理澳洲南澳大学(UniSA)毕业证学位证书Fir L
 
FINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.ppt
FINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.pptFINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.ppt
FINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.pptjudeplata
 
Special Accounting Areas - Hire purchase agreement
Special Accounting Areas - Hire purchase agreementSpecial Accounting Areas - Hire purchase agreement
Special Accounting Areas - Hire purchase agreementShubhiSharma858417
 

Recently uploaded (20)

如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书
 
An Introduction guidance of the European Union Law 2020_EU Seminar 4.pptx
An Introduction guidance of the European Union Law 2020_EU Seminar 4.pptxAn Introduction guidance of the European Union Law 2020_EU Seminar 4.pptx
An Introduction guidance of the European Union Law 2020_EU Seminar 4.pptx
 
如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书
如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书
如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书
 
Russian Call Girls Service Gomti Nagar \ 9548273370 Indian Call Girls Service...
Russian Call Girls Service Gomti Nagar \ 9548273370 Indian Call Girls Service...Russian Call Girls Service Gomti Nagar \ 9548273370 Indian Call Girls Service...
Russian Call Girls Service Gomti Nagar \ 9548273370 Indian Call Girls Service...
 
Constitutional Values & Fundamental Principles of the ConstitutionPPT.pptx
Constitutional Values & Fundamental Principles of the ConstitutionPPT.pptxConstitutional Values & Fundamental Principles of the ConstitutionPPT.pptx
Constitutional Values & Fundamental Principles of the ConstitutionPPT.pptx
 
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
 
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书
 
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书
 
Comparison of GenAI benchmarking models for legal use cases
Comparison of GenAI benchmarking models for legal use casesComparison of GenAI benchmarking models for legal use cases
Comparison of GenAI benchmarking models for legal use cases
 
Arbitration, mediation and conciliation in India
Arbitration, mediation and conciliation in IndiaArbitration, mediation and conciliation in India
Arbitration, mediation and conciliation in India
 
如何办理(UCD毕业证书)加州大学戴维斯分校毕业证学位证书
如何办理(UCD毕业证书)加州大学戴维斯分校毕业证学位证书如何办理(UCD毕业证书)加州大学戴维斯分校毕业证学位证书
如何办理(UCD毕业证书)加州大学戴维斯分校毕业证学位证书
 
POLICE ACT, 1861 the details about police system.pptx
POLICE ACT, 1861 the details about police system.pptxPOLICE ACT, 1861 the details about police system.pptx
POLICE ACT, 1861 the details about police system.pptx
 
John Hustaix - The Legal Profession: A History
John Hustaix - The Legal Profession: A HistoryJohn Hustaix - The Legal Profession: A History
John Hustaix - The Legal Profession: A History
 
Good Governance Practices for protection of Human Rights (Discuss Transparen...
Good Governance Practices for protection of Human Rights (Discuss Transparen...Good Governance Practices for protection of Human Rights (Discuss Transparen...
Good Governance Practices for protection of Human Rights (Discuss Transparen...
 
如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书
如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书
如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书
 
Key Factors That Influence Property Tax Rates
Key Factors That Influence Property Tax RatesKey Factors That Influence Property Tax Rates
Key Factors That Influence Property Tax Rates
 
如何办理澳洲南澳大学(UniSA)毕业证学位证书
如何办理澳洲南澳大学(UniSA)毕业证学位证书如何办理澳洲南澳大学(UniSA)毕业证学位证书
如何办理澳洲南澳大学(UniSA)毕业证学位证书
 
FINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.ppt
FINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.pptFINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.ppt
FINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.ppt
 
young Call Girls in Pusa Road🔝 9953330565 🔝 escort Service
young Call Girls in Pusa Road🔝 9953330565 🔝 escort Serviceyoung Call Girls in Pusa Road🔝 9953330565 🔝 escort Service
young Call Girls in Pusa Road🔝 9953330565 🔝 escort Service
 
Special Accounting Areas - Hire purchase agreement
Special Accounting Areas - Hire purchase agreementSpecial Accounting Areas - Hire purchase agreement
Special Accounting Areas - Hire purchase agreement
 

Generative AI, Search Engines and GDPR

  • 1. Professor David Erdos Faculty of Law University of Cambridge
  • 2. Search Indexing & European DP: Timeline  Mid-1980s – mid-1990s: Early concerns & some regulation even of news archive searches  Late-1990s-2000s: Search engines largely seen as “out of reach”; some focus on limiting exposure e.g. no robots  2007/8 onwards: Spanish DPA (with some wider support) sees engines as at least ex post controllers  2014-present: CJEU in Google Spain supports core Spanish position; working out of reach & limitations
  • 3. Generative AI & DP: Timeline  Early 2023: Mass spread of generative AI including in form of chatbots like Open AI ChatGPT & Google Bard  March-July 2023: Investigations including temporary ban on ChatGPT in Italy; EDPB creates Taskforce  June 2023: G7 DPA Statement on Generative AI  October 2023: GPA Resolution on Generative AI Systems “current law applies to generative AI products and users, even as different jurisdictions continue to develop AI-specific laws and policies”
  • 4. Generative AI & DP: Unclear Realities  Legal Basis? - Other than “legitimate interest” (which is always insufficient for special category data)  Categories of Personal Data and Sources?  Storage Periods?  Accuracy/Data Quality? - “Bard .. sometimes gives inaccurate or inappropriate results”  Subject Rights? - “we may not be able to correct the accuracy … [i]n that case, you may request that we remove your Personal Data from ChatGPT’s output”
  • 5. Can/are Search Engine Limits Relied Upon? “Inasmuch as the activity of a search engine is … liable to affect significantly and additionally compared with that of the publishers of websites, the fundamental rights to privacy and to the protection of personal data, the operator of the search engine … must ensure, within the framework of its responsibilities, powers and capabilities, that the activity meets the requirements of Directive 95/46 in order that the guarantees laid down may have full effect and that effective and complete protection of data subjects, in particular of the right to privacy, may actually be achieved.” (Google Spain (2014) at [38])  GC et. al (2019): Freedom of expression/information can be invoked (although journalistic derogation not applicable)
  • 6. Substantive Freedom of Expression Limits  Sensitive Data – GC et. al. (2019):  Accuracy - TU, RE v Google (2022): “[T]he operator must … ascertain, having regard to the reasons of substantial public interest referred to in … Article 9(2)(g) of Regulation 2016/679 and in compliance with conditions laid down in those provisions, whether the inclusion of that link in the list of results displayed following a search on the basis of the data subject’s name is strictly necessary for protecting the freedom of information of internet users” (at [68]) “where, at the very least, a part – which is not minor in relation to the content as a whole – of the information referred to in the request for de- referencing proves to be inaccurate… the right to inform and the right to be informed cannot be taken into account.” (at [64])
  • 8. Responsibility Limitations: TU, RE (2022)  Only Ex Post:  Without Active Investigatory Duties: “the prohibitions and restrictions laid down by … the GDPR can apply to that operator only by reason of that referencing and thus via a verification, under the supervision of the competent national authorities, on the basis of a request by the data subject.” (at [53]) “operator cannot be required to play an active role in trying to find facts which are not substantiated by the request for de-referencing.” (at [70])
  • 9. Relevant Generative AI Experience to Date  DP By Design & DP Impact Assessments - stressed by DPAs and strongly ex ante not ex post in nature  Proactive Transparency – also stressed, including by Italian DPA which required Open AI to carry out active information campaign  Rectification – ChatGPT states can’t always be carried out  Restriction – Not mentioned (and burden of proof re accuracy remains unclear)  All processing or just results? – Specification of rights for non- users generally focus only on latter
  • 10. Significant & Additional Rights Risk Limits  CJEU has always expressed conceptually  EDPB (2020) only states right “mainly based” on name search  Italian DPA (2019) applied right to search on a job title  But Google resolutely limits right to name-search only “the operator of a search engine is responsible … because of the referencing of that page and in particular the display of the link to that web page in the list of results presented to internet users following a search on the basis of an individual’s name, since such a display of the link in such a list is liable significantly to affect the data subject’s fundamental rights”
  • 11. Relevant Generative AI Experience to Date  Chat GPT talks in Removal Form about “prompts” (although unclear if it sees some prompts as too remote for any action)  Also states that “our training information does incidentally include personal information” & no clear route given for access or control rights regarding this (although is under DPA examination)
  • 12. Taking Stock  Even within the EU, search engine indexing benefits from far-reaching exemptions from data protection  Exemptions enable a balance to be achieved with innovation, freedom of information etc. but are in essence extra- (& often contra-) legislative & grant operators great (& often disproportionate) discretion  Generative AI services act even less as an intermediary and process personal data in an even more active manner  Should seek a better way than this to ensure a balance between Generative AI products and data protection