The Data Protection Commission (DPC) today announced that it has commenced a Cross-Border statutory inquiry into Google Ireland Limited (Google) under Section 110 of the Data Protection Act 2018. The statutory inquiry concerns the question of whether Google has complied with any obligations that it may have had to undertake an assessment, pursuant to Article 35 of the General Data Protection Regulation (Data Protection Impact Assessment), prior to engaging in the processing of the personal data of EU/EEA data subjects associated with the development of its foundational AI model, Pathways Language Model 2 (PaLM 2).
A Data Protection Impact Assessment (DPIA), where required, is of crucial importance in ensuring that the fundamental rights and freedoms of individuals are adequately considered and protected when processing of personal data is likely to result in a high risk.
This statutory inquiry forms part of the wider efforts of the DPC, working in conjunction with its EU/EEA peer regulators, in regulating the processing of the personal data of EU/EEA data subjects in the development of AI models and systems.
Cross-Border processing means either:
- processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
- processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
Article 35 of the General Data Protection Regulation (GDPR) provides that a Data Protection Impact Assessment (DPIA) is required where a type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of individuals. A DPIA assessment is a key process for building and demonstrating compliance, which ensures that data controllers identify and mitigate against any data protection risks arising from a type of processing that entails a high risk. It seeks to ensure, among other things, that the processing is necessary and proportionate and that appropriate safeguards are in place in light of the risks.