The world’s leading internet firms are engaging extensively with regulators in the European Union to ensure their artificial-intelligence products do not fall foul of the bloc’s strict data protection rules, Ireland’s powerful data regulator said.
Ireland’s Data Protection Commission, lead EU regulator for Alphabet’s (GOOGL.O) Google, Meta (META.O), Microsoft (MSFT.O), TikTok and OpenAI, among others, said that its broad powers had not yet been tested on AI and it could in future force changes to business models to ensure data privacy is protected.
AI creates a number of potential issues for data privacy, the two top officials at Ireland’s Data Protection Commission said in an interview on Tuesday.
Regulators need to decide whether companies should be allowed to trawl the internet for public data to train AI models, and on what legal basis personal data can be used.
AI operators also need to explain they can ensure individuals’ data rights, including the right to erase their data. The risk of AI models giving incorrect personal data about individuals must also be addressed, the Irish officials said.
“There has been extensive engagement” from leading US tech firms including Google, Meta, TikTok, LinkedIn and OpenAI, said Dale Sunderland, one of the Irish regulator’s two Data Protection Commissioners.
“They’re seeking our views on some of their new products in the AI space, particularly the large language model space.”
Google agreed to delay and make changes to its Gemini AI chatbot following consultations with the Irish regulator, he said.
While Ireland is the lead regulator for most of the top US internet firms due to the location of their EU head offices in the country, other regulators can have a say in decisions via the European Data Protection Board, which is currently working on guidance on how AI should operate under EU data protection law, he said.
AI model operators from next month will have to comply with the EU’s landmark new AI Act. But they will also have to comply with the bloc’s key data protection law, the General Data Protection Regulation, which can impose fines of up to 4 per cent of a firm’s total global turnover.
“The power of national regulators, including us, is quite broad,” said Des Hogan, Ireland’s other Data Protection Commissioner and chair of the commission.
“If they haven’t done proper due diligence around the impacts of new products or services … they run that risk of having to change the design downstream.”