In December 2024, the Centre for Information Policy Leadership (CIPL) at Hunton Andrews Kurth released a pivotal discussion paper titled “Applying Data Protection Principles to Generative AI: Practical Approaches for Organizations and Regulators.” This document serves as a framework for addressing privacy and data protection concerns related to the evolving field of generative artificial intelligence (genAI), highlighting various critical concepts that underpin its responsible use.
The paper delves into essential privacy principles including fairness, collection limitation, purpose specification, use limitation, individual rights, transparency, organizational accountability, and cross-border data transfers. Each of these principles is examined to ascertain how they can be systematically integrated into the development and deployment of genAI systems.
CIPL's forthcoming recommendations call for legislative and regulatory adjustments to promote the beneficial development of AI technologies, with an emphasis on lawful mechanisms for personal data usage in training models. It suggests that restrictive legal interpretations concerning the utilisation of personal data may hinder innovation within the AI landscape. Specifically, the document outlines the importance of recognising varying data privacy rules applicable at different phases of the AI lifecycle, which include data collection, model training, fine-tuning, and deployment.
Furthermore, organizations are encouraged to harness the “legitimate interests” legal basis when processing publicly available data obtained via web scraping or through first-party data. The use of such data should not undermine the fundamental rights of individuals but should be accompanied by appropriate risk-based mitigation measures. Additionally, the paper advocates for the potential necessity of sensitive personal data in certain AI contexts—particularly to mitigate algorithmic bias and discrimination, as well as to enhance content safety.
In addressing technological development, the report discusses the need for the adoption of privacy-enhancing techniques, such as synthetic data and differential privacy. These technologies can allow for extensive datasets to facilitate the training of genAI models while simultaneously minimizing the risks associated with employing personal data.
The principle of fairness is particularly salient in the realm of genAI and should guide the processing of personal data to ensure that models are accurate and equitable. The discussion paper posits that considerations around fairness should also extend to the implications of not developing certain AI applications for individuals or societies.
Data minimisation principles should also be construed contextually, focusing on limiting data collection to what is necessary for intended purposes—thereby not obstructing the accumulation of data crucial for establishing robust genAI models.
One of the critical recommendations pertains to the flexibility of purpose limitation principles within the legal frameworks governing AI technologies. It advocates for accommodating the diverse range of applications for which genAI models can be utilised, highlighting that data processing for model development should be distinctly separate from processing tied to specific applications derived from that model.
Transparency requirements are similarly underscored, with the responsibility falling on the nearest entity to the individual. In cases where data is extracted indirectly, public disclosures and other informational avenues must be employed to satisfy transparency standards. The paper emphasizes that transparency should be meaningful without compromising usability, functionality, and security.
CIPL urges stakeholders—including lawmakers, regulators, and developers—to engage in dialogue to clarify responsibilities throughout the phases of genAI development. It encourages organisations to invest in robust, risk-based AI and data privacy programmes to ensure continuous improvement and adherence to best practices in this rapidly shifting landscape.
Finally, the paper concludes by recommending that legislation and regulatory guidance should encourage accountability within AI operations and recognise the necessity of management programmes governing AI and data privacy.
Source: Noah Wire Services