Google is facing investigation by its lead privacy regulator in the European Union over claims that it did not comply with laws on data protection concerning the use of people's information to train generative AI.
It specifically seeks to answer if the high-tech giant did, or should have done, a data protection impact assessment (DPIA) to consider proactively the risks that its AI technologies could pose to the rights and freedoms of those whose information was used in training the models.
Generative AI tools have a reputation for churning out plausible-sounding balderdash. All things considered, with an added propensity to churn out personal information on demand, this creates lots of legal risk for their makers. Powers given to Ireland's Data Protection Commission as it oversees Google's compliance with the bloc's General Data Protection Regulation (GDPR) give it powers to levy fines of up to 4% of Alphabet's global annual turnover for any confirmed breaches.
Google has created a family of general-purpose large language models, known as Gemini (formerly Bard), and is applying the technology to power AI chatbots, in one case boosting its web search capabilities. Controlling all these consumer-facing AI tools is a Google LLM called PaLM2, which the company unveiled last year at its I/O developer conference.
It is what the Irish DPC says it's investigating, under Section 110 of Ireland's Data Protection Act 2018, which transposed the GDPR into national law-to understand how Google developed this foundational AI model.
This training of GenAI models tends to require large amounts of data, and the type of information that LLM manufacturers have collected, as well as the manner in which and from whom they gathered it, is increasingly being scrutinized under various legal issues, including copyright and privacy.
In the latter case, information used as AI training fodder that contains the personal information of EU people's is subject to the bloc's data protection rules, whether it was scraped off the public internet or directly acquired from users. This is why several LLMs have already answered questions-and also some enforcement actions related to GDPR compliance-under privacy, including OpenAI, the maker of GPT(and ChatGPT); and Meta, which develops the Llama AI model.
The DPC has also issued GDPR complaints and anger over how X, owned by Elon Musk, uses people's data in training AI, leading to a court case and an undertaking by X to limit its processing but no sanction. Although, X can still face a GDPR penalty if the DPC concludes its processing of user data to train its AI tool Grok breached the regime.
This is the third regulatory action on this area; the DPC's DPIA probe on Google's GenAI.
The statutory inquiry raises the question of whether Google has complied with any obligation it might have had under Article 35 of the General Data Protection Regulation (Data Protection Impact Assessment) to undertake such an assessment prior to engaging in processing the personal data of EU/EEA data subjects in connection with the development of its foundational AI Model, PaLM 2," the DPC wrote in a press release.
It shows that DPIA can be of paramount importance to the point where consideration and protection of basic rights and freedoms of a person will be ensured when the process of personal data processing will likely yield a high risk.
"This statutory inquiry is part of the broader efforts of the DPC, working together with its EU/EEA peer regulators, to regulate the processing of the personal data of EU/EEA data subjects in the development of AI models and systems," said the DPC, referencing ongoing efforts by the bloc's network of GDPR enforcers to reach some sort of consensus on how best to apply the privacy law on GenAI tools.
It ignored a question on sources of data used to train its GenAI tools, but spokesman Jay Stoll emailed a statement in which Google wrote: "We take seriously our obligations under the GDPR and will work constructively with the DPC to answer their questions."