The European Union’s lead data privacy regulator for Google has opened an inquiry into whether the company’s processing of people’s data to train Google’s GenAI conforms to the bloc’s laws on data protection.
It’s instead about whether the tech giant was under an obligation to conduct a data protection impact assessment to proactively analyse the possible risks its AI technologies posed against the rights and freedoms of individuals whose personal data had been used for the training of the models.
Google’s GenAI is known to create misinformation that sounds really convincing. This tendency, put together with the capability for disclosure of personal information if required, creates tremendous legal liability for developers. The DPC of Ireland, tasked with oversight of Google’s compliance with the GDPR in Europe, has the power to issue fines up to 4% of Alphabet’s global yearly revenues for any confirmed infringement. 
Recently, the company has been launching a number of Google’s GenAI technologies, including a suite of general-purpose LLMs named Gemini but previously known as Bard. This technology forms the backbone of AI chatbots that can enhance the ability of user chats to search the internet. And at the centre of this customer-facing AI is a Google LLM called PaLM2, which was announced last year at its I/O developer conference.
The Irish DPC is now investigating how Google developed this foundational AI model under Section 110 of Ireland’s Data Protection Act 2018, which transposed the GDPR into national law.
Google’s GenAI is currently under scrutiny for privacy risk assessments in Europe. Models do tend to be developed based on large datasets, and the methods by which the creators of LLMs have sourced their information as well as the types of data collected are receiving increased scrutiny in view of various legal concerns, including issues of copyright and privacy.
In such a case, any information used to train an AI system with personal data of EU citizens will fall under the bloc’s data protection rules, whether it has been scraped from publicly available internet content or collected directly from users. A number of large language models have received questions, and sometimes GDPR enforcements on privacy compliance. The people mentioned include OpenAI, creator of GPT and ChatGPT, and Meta, developer of the Llama AI model.
There have been GDPR complaints against Elon Musk’s company, X, and criticism by the DPC because it uses data belonging to individuals to train its AI. The court cases brought about by the situation have made X agree to limit its data processing without fines. It is still likely that X could face a GDPR fine, pending the DPC’s decision whether X has violated the regulation with its handling of user data in training the AI tool Grok.
The investigation of Google’s GenAI for a DPIA by the DPC is the most recent in a stream of regulatory actions in this field.
Article 35 of the General Data Protection Regulation says that Google must do a Data Protection Impact Assessment (DPIA) when working on its main AI model, Pathways Language Model 2 (PaLM 2). The DPC said that Google is being investigated to see if it has met its obligations to do a DPIA.
This becomes fundamental when processing personal data creates a high risk, and it has to take measures for protection of basic rights and freedoms by DPIA.
The DPC said, “This statutory inquiry is an important part of the larger work that the DPC is doing with its EU/EEA peer regulators to oversee the processing of personal data belonging to EU/EEA data subjects in the context of AI model and system development.” It also added that the bloc’s network of GDPR enforcers is always seeking consensus on how to apply privacy law to GenAI tools. The company declined to comment on what data sources it uses to train its Google’s GenAI tools.
But a spokesman, Jay Stoll, said in an email statement: “We take seriously our obligations under the GDPR and will work constructively with the DPC to answer their questions.”
