The European Data Protection Board (EDPB) adopted Opinion 28/2024 on 17 December 2024,[1] addressing key data protection issues that arise from the processing of personal data in the context of artificial intelligence (AI) models. Issued at the request of the Irish supervisory authority, the opinion provides clarity on important legal, and compliance matters under the General Data Protection Regulation (GDPR).[2] It covers topics such as the anonymization of AI models, the use of legitimate interest as a legal basis for processing, and the consequences of unlawful data processing in AI development.
The relevance of the opinion is underscored by recent high-profile cases, including the €15 million fine imposed on OpenAI by the Italian Data Protection Authority for GDPR violations and the ongoing scrutiny of DeepSeek, both in the EU and the USA, for similar concerns.
This blog post will explore the main takeaways from the EDPB’s opinion and provide an overview of recent developments related to the OpenAI and DeepSeek AI models.
Key Questions Addressed by the EDPB
The opinion specifically addresses three critical questions in the context of AI models, which will be detailed below:[3]
I) When and how can an AI model be considered anonymous?
II) How can controllers demonstrate that legitimate interest is an appropriate legal basis for processing personal data during the development and deployment phases of AI models?
III) What are the consequences of unlawful processing of personal data during the development of an AI model on the subsequent processing or operation of the model?
I) Anonymity – When is an AI Model Truly Anonymous?
One of the most critical points raised in the EDPB opinion is the question of when AI models can be considered anonymous. This is a relevant issue for AI developers, as it impacts the applicability of the GDPR’s data protection requirements.
The EDPB makes it clear that AI models trained on personal data should not automatically be considered anonymous.[4] To be considered anonymous, both the likelihood of identifying individuals directly or indirectly from the model and the likelihood of retrieving such data through queries must be negligible. Importantly, the Board emphasizes that this assessment should be done on a case-by-case basis by the relevant supervisory authorities (SAs).
The opinion outlines several methods that controllers could use to demonstrate the anonymization of AI models. These include strategies to limit the amount of personal data collected during training, measures to reduce the identifiability of data, and ensuring the model is resistant to attacks that could expose personal information. SAs are tasked with evaluating these measures in the context of the specific AI model under review.
Even before the EDPB opinion, academic research had already questioned the effectiveness of traditional anonymization techniques, particularly for high-dimensional datasets. Scholars have noted that methods such as pseudonymization and k-anonymity have become increasingly inadequate for protecting privacy, given the ease with which modern datasets – such as mobile phone metadata or credit card transaction records – can be re-identified.[5] The prevailing academic consensus stresses the necessity for more advanced anonymization solutions to tackle the complexities of big data,[6] a view that aligns with the EDPB’s cautious approach to determining when an AI model can be considered anonymous.
II) Legitimate Interest – a Legal Basis for AI Data Processing?
The second major issue addressed in the opinion is the use of legitimate interest as a legal basis for processing personal data during the development and deployment phases of AI models. Under the GDPR, data controllers must establish a valid legal basis for processing personal data,[7] and the opinion clarifies that legitimate interest is one of the valid legal bases.
However, the EDPB emphasizes that legitimate interest is not automatically applicable to all situations. Controllers must conduct a three-step test when relying on this basis:[8]
- Identify the legitimate interest pursued.
- Evaluate the necessity of the data processing for achieving the identified interest, ensuring that no less intrusive alternative is available (“necessity test”).
- Assess whether the controller’s interest outweighs the data subjects’ fundamental rights and freedoms (“balancing test”). This step requires evaluating the specific circumstances of the case and SAs may consider the data processed, the context of the processing as well as the potential consequences of the processing.
The opinion underscores the importance of data minimization during the necessity test, urging controllers to only process the minimum amount of personal data required to achieve the legitimate interest. Moreover, SAs should consider the specific risks to fundamental rights, which may vary depending on the context of both the development and deployment of AI models.
III) Consequences and Risks of Unlawful Data Processing
Another crucial aspect of the opinion relates to the potential consequences of unlawful data processing during the development phase of AI models. Specifically, the opinion explores three possible scenarios:[9]
Scenario 1: If personal data is unlawfully processed and retained in the AI model during the development phase and subsequently processed by the same controller during the deployment phase, the legality of the initial processing must be assessed in light of the subsequent use. The EDPB suggests that this should be evaluated on a case-by-case basis, considering whether the processing activities constitute separate processing operations or share the same purpose.
Scenario 2: If personal data is unlawfully processed and retained in the AI model during the development phase and subsequently processed by another controller during the deployment phase, the new controller must conduct a thorough assessment to ensure that the original data processing was lawful. This assessment is critical to ensuring compliance with GDPR accountability obligations.
Scenario 3: If personal data is unlawfully processed in the development phase of the AI model, which is anonymized after this unlawful processing, the subsequent processing in the deployment phase will not be affected by the initial illegality, provided that no personal data is processed in the deployment phase. In this scenario, the GDPR would not apply.
In all these scenarios, supervisory authorities have the discretion to assess the potential infringement and determine the appropriate, proportionate measures to ensure compliance.
Legal and Ethical Implications for AI Developers and Data Controllers
The EDPB’s Opinion 28/2024 offers important guidance for AI developers and data controllers working with personal data. It emphasizes the need for robust documentation and demonstrable compliance with data protection principles, particularly in the areas of anonymization and legitimate interest.
For AI developers, ensuring that models are truly anonymous (or “non-personal”) is a challenging but essential task. The development process should be carefully documented, with clear steps taken to minimize risks to data subject privacy. For controllers relying on legitimate interest as a legal basis for processing, there is a need for thorough, case-specific assessments to justify the processing at every stage of the AI model’s lifecycle. The legitimate interest test must be carefully applied, taking into account the proportionality and necessity of the data processing.
Although the EDPB’s focus is primarily on legal considerations, ethical issues are equally critical in the development and deployment of AI systems.[10] These systems must be designed in ways that minimize biases, ensure fairness in decision-making, and uphold fundamental rights. Additionally, AI developers should adhere to established data ethics principles, ensuring that the data used for training algorithms is ethically sourced, non-biased, and processed in a manner that respects both individual rights and societal norms.[11]
Italy Fines OpenAI €15 Million: A Major Step in GDPR Enforcement
On 20 December 2024, the Italian Data Protection Authority, known as Garante, imposed corrective measures on OpenAI following an investigation into the processing of personal data in the context of its ChatGPT service.[12] The DPA found that OpenAI had processed users’ personal data without an appropriate legal basis, violated transparency requirements, and failed to implement age verification mechanisms to protect children under 13. As a result, OpenAI was fined €15 million and instructed to run a six-month public awareness campaign on data processing practices and user rights under the GDPR. Although the maximum fine under the GDPR could reach €20 million or 4% of global turnover, the €15 million fine was deemed appropriate, considering OpenAI’s “cooperative stance” during the investigation.[13] The Italian DPA, one of the EU’s most proactive AI regulators,[14] took an important step in addressing the challenges outlined in the EDPB’s Opinion 28/2024. This case highlights the need for AI developers to establish a legitimate legal basis for data processing and meet transparency obligations, underscoring the growing focus on AI compliance with GDPR and the protection of individual rights.
DeepSeek Under Scrutiny: GDPR Complaints and Global Concerns
On 28 January 2025, Euroconsumers, an international group of five consumer organizations (from Belgium, Italy, Portugal, Spain and Brazil), alongside its Italian member, Altroconsumo filed a complaint with the Italian Data Protection Authority over the data practices of the DeepSeek Artificial Intelligence companies based in Hangzhou and Beijing.[15] Their formal complaint[16] alleges multiple GDPR violations, including illegal international data transfers to China, lack of transparency in data processing, and failure to clearly state the legal basis for collecting user data. Furthermore, DeepSeek has not appointed a European representative, despite providing services to EU users.
As a response, Italy’s data protection authority announced that it was “seeking answers from (…) DeepSeek on its use of personal data.”[17] This case illustrates the growing importance of ensuring GDPR compliance across international AI services, with a particular emphasis on protecting the privacy and rights of European users.
At the same time, authorities in the United States are investigating the DeepSeek app for potential national security risks.[18] White House press secretary Karoline Leavitt described the growing concerns over the app as a “wake-up call” for the American AI industry as the US works to secure its leadership in the field.[19]
Navigating a Complex Future of Data Protection in AI
The EDPB’s Opinion 28/2024 offers essential guidance for AI developers and data controllers in navigating the complexities of data protection.[20] By clarifying key issues such as anonymization, legitimate interest, and the consequences of unlawful data processing, the opinion ensures that AI models are developed in compliance with GDPR while upholding individual rights.
The growing emphasis on responsible data practices is reflected in recent enforcement actions, such as the Italian DPA’s fine against OpenAI, highlighting the importance of transparency, accountability, and a solid legal basis for data processing in AI systems. Similarly, the scrutiny faced by DeepSeek for alleged GDPR violations and the US investigation into its potential national security risks further illustrates the mounting pressure on AI companies to stay ahead of evolving data protection requirements and prioritize responsible practices.
[1] European Data Protection Board (EDPB). Opinion 28/2024 on Certain Data Protection Aspects Related to the Processing of Personal Data in the Context of AI Models. Adopted 17 Dec. 2024, https://www.edpb.europa.eu/system/files/2024-12/edpb_opinion_202428_ai-models_en.pdf, hereinafter: EDPB, Opinion 28/2024.
[2] European Parliament and Council of the European Union. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), Official Journal of the European Union, 4 May 2016, L 119/1, hereinafter: GDPR.
[3] EDPB, Opinion 28/2024.
[4] Ibid.
[5] de Montjoye, Yves-Alexandre, et al. „Solving Artificial Intelligence’s Privacy Problem.” Facts Reports, Special Issue 17, 2017, pp. 80-83. https://journals.openedition.org/factsreports/4494.
[6] Gadotti, Andrea, et al. „Anonymization: The Imperfect Science of Using Data While Preserving Privacy.” Science Advances, vol. 10, 2024, ea dn7053. https://www.science.org/doi/10.1126/sciadv.adn7053; Caruccio, Loredana, et al. „A Decision-Support Framework for Data Anonymization with Application to Machine Learning Processes.” Information Sciences, vol. 613, Oct. 2022, pp. 1-32, https://doi.org/10.1016/j.ins.2022.09.004.
[7] GDPR, Article 6.
[8] EDPB, Opinion 28/2024.
[9] EDPB, Opinion 28/2024.
[10] Ryan, Mark, and Bernd Carsten Stahl. „Artificial Intelligence Ethics Guidelines for Developers and Users: Clarifying Their Content and Normative Implications.” Journal of Information, Communication and Ethics in Society, vol. 19, no. 1, 2021, pp. 50-65. doi:10.1108/JICES-12-2019-0187.
[11] Rhem, Anthony J. „Ethical Use of Data in AI Applications.” IntechOpen, 26 May 2023, doi:10.5772/intechopen.1001597.
[12] Garante per la protezione dei dati personali. ChatGPT, Il Garante Privacy Chiude l’Istruttoria. OpenAI Dovrà Realizzare una Campagna Informativa di Sei Mesi e Pagare una Sanzione di 15 Milioni di Euro. 20 Dec. 2024, https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/10085432; Pollina, Elvira, and Alvise Armellini. „Italy Fines OpenAI Over ChatGPT Privacy Rules Breach.” Reuters, 20 Dec. 2024, 9:51 PM GMT+1, www.reuters.com/technology/italy-fines-openai-15-million-euros-over-privacy-rules-breach-2024-12-20/.
[13] Pollina, Armellini, 2024.
[14] Ibid.
[15] MLex. „DeepSeek Faces Complaint About Its Handling of Personal Data.” 28 Jan. 2025, www.mlex.com/mlex/data-privacy-security/articles/2289923/deepseek-faces-complaint-about-its-handling-of-personal-data.
[16] Euroconsumers and Altroconsumo. Notification Pursuant to Article 144 of the Code on the Protection of Personal Data, Containing Provisions for the Adaptation of National Law to Regulation (EU) No. 2016/679 of the European Parliament and of the Council of 27 April 2016. 28 Jan. 2025, www.euroconsumers.org/wp-content/uploads/2025/01/report_deepseek_eng.pdf.
[17] Reuters. „Italy Regulator Seeks Information from DeepSeek on Data Protection.” Reuters, 28 Jan. 2025, www.reuters.com/technology/artificial-intelligence/italy-regulator-seeks-info-deepseek-data-protection-2025-01-28/.
[18] Shalal, Andrea, David Shepardson, and Kanishka Singh. „White House Evaluates Effect of China AI App DeepSeek on National Security.” Reuters, 29 Jan. 2025, 12:43 AM, www.reuters.com/technology/artificial-intelligence/white-house-evaluates-china-ai-app-deepseeks-affect-national-security-official-2025-01-28/.
[19] Ibid.
[20] EDPB, Opinion 28/2024.
