data privacy

Data Privacy Newsletter – Generative Artificial Intelligence and Privacy Concerns : June 2023


Over the past year, Generative Artificial Intelligence (also known as “GenAI”) has taken the world by storm, gaining immense popularity and ever-increasing users worldwide. GenAI capabilities have proven ground-breaking, with a wide array of use cases and even complex exams.

What is Generative Artificial intelligence?

GenAI refers to an artificial intelligence technology that can generate diverse types of data, including images, videos, audio, text, and 3D models. By leveraging its understanding of patterns from existing data, GenAI can produce novel and distinctive outputs. Its capability to create intricate and lifelike content akin to human creativity has made it an invaluable tool across various industries like gaming, entertainment, coding and product design. Recent advancements in the field, exemplified by breakthrough technologies like OpenAI’s ChatGPT for text-based outputs, Dall-E 2 for creating realistic images and art and Midjourney (among many others), have greatly enhanced the potential of GenAI.

Interplay between GenAI and Privacy

GenAI technology heavily relies on extensive datasets to train their algorithms and enhance their performance. These datasets may contain personal information of individuals, which could include names, addresses, financial details, and sensitive data like medical records or social security numbers. The collection and processing of personal information is governed by data protection of laws. Privacy is at stake and non-compliance risks are high when the processing of personal information via GenAI is not aligned with the requirements of data protection laws.

The popularity of GenAI should not outweigh the privacy concerns associated with the use of GenAI.

Significant privacy concerns associated with GenAI are as follows:

  1. Weak controls to restrict oversharing of personal information: A common concern is the lack of controls to restrict the usage of personal information by GenAI for purposes not intended by the user. Users of GenAI may share personal information to seek a desired output but may not be able to control the use of such personal information by GenAI. Unauthorized access or misuse of such personal information can lead to identity theft, cyberattacks, and social engineering scams such as phishing emails, and financial frauds.
  2. Profiling: The GenAI tool is capable of making profiling conclusions/inferences about its own users. It can develop assumptions about users’ choices based on users’ activities on the internet.


  1. Transparency and accountability: The performance of GenAI tools is based on the types of data sets it consumes. The GenAI tools are trained to crawl/scrap data, they require massive data which may include personal data for training and developing the tool. There are concerns related to transparency as the users are not provided adequate notice about how the GenAI tool will use its data for deep learning purposes. Appropriate consent mechanisms for the collection of personal information and their usage are missing.


  1. Data retention and deletion: GenAI often uses and stores large amounts of data including personal information during the training phase, there are challenges related to the data retention practices and the ability to delete personal information in the absence of clear policies around data retention and deletion.


  1. Bias and discrimination: The outcome/results generated by the use of GenAI are based on the datasets that are being fed into it. The outcome can be biased depending on the data which is used to train the GenAI. This can lead to discriminatory decisions which can affect an individual. During the pre-employment/screening stage instances of discrimination have been observed through the use of GenAI.

Evolving Regulatory Measures to Address GenAI

Regulators worldwide are actively working on measures to safeguard users’ data from the potential risks associated with GenAI. Here are some of the steps they have taken:


  1. Data protection laws: Governments are enacting or strengthening data protection laws to hold companies accountable for the data they collect from users and ensure compliance with privacy regulations.


  1. Algorithmic accountability: Regulators are advocating for greater algorithmic accountability, asking companies to be transparent and fair in their use of algorithms and taking responsibility for the outcomes they produce.


  1. Privacy-by-Design: Regulators encourage companies to adopt a “privacy-by-design” approach, emphasising the integration of privacy protections into the design and development of products and services from their inception.


  1. Ethical AI Guidelines: The European Union has developed Ethical Guidelines for Trustworthy AI to assist companies in addressing the complex ethical challenges related to AI. These guidelines promote responsible and ethical AI development and usage.


The objective of these measures is to ensure that companies using generative AI are held accountable for data collection and usage, protecting users’ privacy rights.

Mitigating Privacy Risks Associated with GenAI


With the existing concerns related to privacy, it is essential to design and implement practices/processes to safeguard against such risks. Protecting personal data from potential risks associated with Gen AI requires a combination of technical and policy measures. Here are some steps that can help safeguard personal data:


  1. Policies and processes: Design and implement comprehensive organisation-level policies and procedures for the usage of GenAI.
  2. Acceptable use of GenAI in an organisation: A balanced policy to identify the known risks and at the same time take measured steps to promote innovation and use of GenAI is a must for all organisations.
  3. Sandbox for AI innovation: Another popular approach by organisations keen to promote innovation with AI is creating a sandboxing policy to experiment with AI tools in their business. Sandbox is a testing environment in a computer system in which new or untested software or coding can be run securely.
  4. Organisational security measures: Implement appropriate technical and organizational security measures to protect personal data, such as data anonymization, access controls, and encryption.


  1. Awareness: Conduct awareness sessions for stakeholders highlighting the privacy risks associated with the use of GenAI.
  2. Vendor contracts: Ensure risks arising from using GenAI tools provided by vendors/service providers are mitigated contractually and the liabilities are covered.
  3. Regular auditing and risk assessments: Conduct regular audits and risk assessments to identify vulnerabilities and address potential risks associated with GenAI.
  4. Appointment of compliance officer/privacy officer: Designate individuals and/or teams that are responsible for ensuring compliance with data privacy obligations as mandated by applicable data protection laws.


Promote a privacy culture throughout the organization by emphasizing the importance of privacy compliance. While GenAI has the potential to change how businesses create and use data significantly, it also brings serious risks related to data privacy. It is important to balance the GenAI-associated privacy risks by emphasizing the importance of privacy compliance to safeguard against the possibility of harm and violation of privacy laws.

Related Posts