On July 15, 2024, the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) published a discussion paper on the relationship between the General Data Protection Regulation (GDPR) and Large Language Models (LLMs). 

What are the notable points of the paper?

The paper aims to support companies and authorities dealing with data protection issues related to LLM technologies and contains an explanation of the technical aspects of LLMs and their evaluation in light of the relevant case law of the Court of Justice of the European Union (CJEU) on personal data under the GDPR. Additionally, the paper discusses the difference between LLMs as an artificial intelligence (AI) model and as a component of an AI system in accordance with the Proposal for a Regulation of the European Parliament and of the Council Laying Down Harmonised Rules on Artificial Intelligence (the AI Act). 

The paper states, among other things, that:

• the mere storage of an LLM does not constitute processing within the meaning of the GDPR. To the extent that personal data is processed in an LLM-supported AI system, the processing operations must comply with the requirements of the GDPR. This applies to the output of such an AI system;
• due to the lack of storage of personal data in the LLM, the data subject rights under the GDPR cannot relate to the model itself. However, claims for information, deletion, or correction can at least relate to the input and output of an AI system of the responsible provider or operator; and
• the training of LLMs with personal data must be carried out in compliance with data protection regulations and the rights of those affected must also be observed. However, training does not affect the legality of the model. 

You can read the press release here and the paper here, both only available in German.