Statement on Generative AI

Roundtable of G7 Data Protection and Privacy Authorities

June 21, 2023

---

1. We, the G7 data protection and privacy authorities (DPAs), met to discuss the recent developments and challenges of generative AI technologies from a data protection and privacy perspective.
2. In the context of the rapid development and deployment of generative AI technologies, the widespread proliferation of their uses around the world and their increasing adoption across various domains, we recognize that there are growing concerns that generative AI may present risks and potential harms to privacy, data protection, and other fundamental human rights if not properly developed and regulated. In this regard, we welcome the G7 Digital and Tech Ministerial Declaration of April 2023, which reinforces the position that AI related laws, regulations, policies, and standards “should be human centric and based on democratic values, including the protection of human rights and fundamental freedoms and the protection of privacy and personal data”.
3. We note that current law applies to generative AI products and uses, even as different jurisdictions continue to develop AI-specific laws and policies.
4. We draw attention to key areas of concern where privacy and data protection risks may arise within the context of generative AI tools, including but not limited to:
   • Legal authority for the processing of personal information, particularly that of minors and children, in relation to:
     • the datasets used to train, validate and test generative AI models;
     • individuals’ interactions with generative AI tools; and
     • the content generated by generative AI tools.
   • Security safeguards to protect against threats and attacks that seek to:
     • invert the generative AI model to extract or reproduce personal information originally processed in the datasets used to train the model; and
     • subvert the efficacy of measures designed to promote compliance with other privacy and data protection requirements.
   • Mitigation and monitoring measures to ensure personal information generated by generative AI tools is:
     • accurate, complete and up-to-date; and
     • free from discriminatory, unlawful, or otherwise unjustifiable effects.
   • Transparency measures to promote openness and explainability in the operation of generative AI tools, especially in cases where such tools are used to make or assist in decision-making about individuals.
   • Production of technical documentation across the development lifecycle to assess the compliance of generative AI tools with privacy and data protection requirements.
   • Technical and organizational measures to ensure individuals affected by or interacting with these systems have the ability to exercise their rights in relation to generative AI tools with respect to:
     • access to their personal information;
     • rectification of inaccurate personal information;
     • erasure of their personal information; and
     • refusal to be subject to solely automated decisions with significant effects.
   • Accountability measures to ensure appropriate levels of responsibility among actors in the AI supply chain, especially when generative AI models are built upon one another.
   • Limiting collection of personal data to only that which is necessary to fulfil the specified task.
5. We note the recent developments within the G7. In particular, we recall that the Garante per la protezione dei dati personali – in the framework of a still ongoing investigation activity – had temporarily suspended the services that use generative AI in Italy, due to a possible violation of the GDPR and its national law, although the suspension was lifted after improvements in transparency and the rights of individuals for its service were implemented, in accordance with the order by the Italian authority. We highlight that close attention by technology companies to legal requirements and guidance from DPAs, and, where appropriate, close communication between technology companies and DPAs, can contribute to the responsible design, development and deployment of generative AI products and services in order to ensure the recognition and protection of privacy and other fundamental human rights. Further, we note the various ongoing actions by G7 DPAs including:
   • Investigating generative AI based on their respective legislations and issuing a regulatory notice.
   • Fostering cooperation and exchanging information on possible enforcement actions through for instance dedicated task force.
   • Providing information on AI such as guidance on best practices for data protection and privacy compliance.
   • Supporting innovative AI-based projects and actors, including through a regulatory sandbox.
6. Developers and providers should embed privacy in the design, conception, operation, and management of new products and services that use generative AI technologies, based on the concept of “Privacy by Design” and document their choices and analyses in a privacy impact assessment. In particular, developers and providers must comply with the existing laws and adhere to applicable internationally observed key data protection and privacy principles such as data minimization, data quality, purpose specification, use limitation, security safeguards, transparency, rights for data subjects including the right to be informed about the collection and the use of their personal data, and accountability. Developers and providers should also put in place measures to ensure deployers/adopters of their systems also have the ability to comply with their data protection and privacy obligations.
7. The G7 DPAs agree that further discussion and collaboration is needed on the issue of personal data protection within the context of generative AI from an ethical, legal, social, and technical perspective, and will continue to explore how best to protect privacy in relation to generative AI in the Emerging Technologies Working Group and Enforcement Cooperation Working Group under the G7 DPA Roundtable. We will contribute to discussions on generative AI held in other international fora and emphasize the need to pay close attention to data protection and privacy issues.