EDPS Guidelines on generative AI: embracing opportunities, protecting people

The EDPS has published today its guidelines on generative Artificial Intelligence and personal data for EU institutions, bodies, offices and agencies (EUIs). The guidelines aim to help EUIs comply with the data protection obligations set out in Regulation (EU) 2018/1725, when using or developing generative AI tools.

Wojciech Wiewiórowski, EDPS, said: “The guidelines that I have issued today on generative AI are a first step towards more extensive recommendations in response to the evolving landscape of generative AI tools, which my team and I continue to monitor and analyse closely. Our advice published today is drafted with the aim of covering as many possible scenarios involving the use of generative AI, to provide enduring advice to EUIs so that they can protect individuals’ personal information and privacy.”

To ensure their practical application by EUIs, the guidelines emphasise on data protection’s core principles, combined with concrete examples, as an aid to anticipate risks, challenges and opportunities of generative AI systems and tools.

As such, the guidelines focus on a series of important topics, including advice on how EUIs can distinguish whether the use of such tools involves the processing of individuals’ data; when to conduct a data protection impact assessment; and other essential recommendations.

The EDPS issues these guidelines within its role as independent data protection authority of the EUIs, so that they comply with the EU’s data protection law applicable to them, in particular Regulation (EU) 2018/1725. The EDPS has not issued these guidelines within its role as AI Supervisor of the EUIs under the EU’s Artificial Intelligence Act for which a separate strategy is being prepared.