On December 3, 2024, the Spanish Data Protection Authority (AEPD) published an article on the assessment of the training processing of an artificial intelligence (AI) system based on machine learning and neural networks. The article also outlines how data protection principles like accountability, minimization, and accuracy apply to AI training processes.

Data training processes

The article uses a hypothetical AI system designed to classify individuals as overweight or not, based on height and weight, to demonstrate data training challenges. Specifically, the article compares two approaches:

• a simpler model: a single-neuron network that effectively classifies data with minimal samples due to its quasi-linear design; and
• a complex model: a multi-neuron network with higher complexity, requiring more training data to avoid errors or 'hallucinations.'

The article highlights how the simpler model can be more efficient and accurate and achieves better results with fewer resources. In contrast, the article notes that the complex model may be inefficient and inaccurate without an extensive and diverse dataset.

Implications for data protection

The article outlines the implications of the findings for the following data protection principles under the General Data Protection Regulation (GDPR):

• Minimization and accuracy: The simpler model demonstrates that fewer, well-chosen samples can achieve the purpose of training effectively. This supports the principle of minimization by reducing the amount of personal data needed.
• Data Protection by Design: Mature development methodologies and informed decision-making at the design phase are critical for ensuring compliance with data protection principles. These methodologies optimize resource use and output quality.
• Accountability: AI systems must incorporate technical and organizational measures that allow organizations to demonstrate compliance with GDPR principles, particularly during the selection and training phases.
• Efficiency and legitimacy: Inefficiencies in data collection and training may render AI systems non-compliant with proportionality and legitimacy requirements, particularly when extensive datasets are unnecessary or infeasible.

You can read the article, only available in Spanish, here.