AI training gets green light: The proposal directly addressed one of the most contentious issues in EU privacy law: whether companies can train AI systems using personal data.The draft stated that AI training, testing, and validation may be conducted under the GDPR’s “legitimate interest” basis, as long as companies implement safeguards such as data minimization, transparency, and an unconditional right to object.”Processing of personal data for AI training may therefore be carried out for purposes of a legitimate interest,” the draft said, adding that developers must ensure the training is “beneficial for the data subject and society at large.”The Commission cited the need to detect bias and ensure accurate model outputs as examples of “beneficial” purposes.However, privacy lawyers said invoking legitimate interest for AI processing could open the door to large-scale data mining without individual consent, something GDPR was originally designed to prevent.The draft would also introduce a limited exemption for special category (sensitive) data that inadvertently appears in AI datasets. If removing such data would require “disproportionate effort,” companies could retain it under protective measures preventing its use or disclosure.
Sensitive data protections narrowed: In another controversial shift, the proposal would narrow the definition of sensitive data under Article 9 of the GDPR. Stronger protections would apply only when information directly reveals characteristics like race, religion, or health, excluding data that only implies those traits through analysis or inference.”For most types of personal data listed in Article 9(1), there are no such significant risks where the data are not inherently sensitive,” the draft said.Critics warn this could allow companies to infer protected characteristics”, such as sexual orientation or political opinions”, from seemingly neutral data without triggering higher legal protections.The European Law Institute acknowledged in its October 14 feedback that limited GDPR updates may be necessary, but cautioned that “improvements must not come at the expense of fundamental rights protection.”The proposed changes could significantly alter corporate data governance across Europe. Companies would no longer need consent management systems for most tracking cookies, but would have to maintain detailed documentation to justify processing under “legitimate interest.”The European Digital Rights network criticized the consultation as “exclusion by design” with “extraordinarily short” timelines and reality checks focused “almost exclusively on industry voices.”The Commission did not immediately respond to a request for comment.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4087355/european-commission-moves-to-loosen-gdpr-for-ai-and-cookie-tracking-2.html
