Enforcement - Training Large Language Models (LLMs)
DATE OF UPDATE:
21 May 2024
LINKS
DPC statement on Meta AI | 21/05/2025 | Data Protection Commission
EDPB opinion on AI models: GDPR principles support responsible AI | European Data Protection Board
CURRENT STATUS
The Data Protection Commission (DPC) issued a statement on Meta AI. It refers to the EDPB Opinion issued in December 2024 that sets out general criteria that Data Protection Supervisory Authorities (DPAs) should take into account when assessing data protection compliance in relation to the development and the deployment of AI models.
WHY IS THIS APPLICABLE TO CLIENTS?
The application of the GDPR to new technologies such as LLMs raises complex challenges. The DPC states that it has required Meta to compile a report on the measures and safeguards it has introduced regarding the processing taking place. This report, which is expected in October 2025, will be of interest to other deployers of this technology.
GDPR Revision – Omnibus IV
DATE OF UPDATE:
21 May 2025
LINKS
Records of Processing Activities – DPC issues Welcome Guidance
CURRENT STATUS
Following the recent Competitiveness Compass and Mario Draghi's report on the future of European competitiveness, the EU has launched a series of initiatives to support business activity and reducing regulatory burdens.
Omnibus IV introduces targeted amendments to eight legislative acts, including the GDPR and Critical Entities Resilience Directive.
The EDPB and the EDPS had already adopted a letter addressed to the European Commission on the proposal expressing preliminary support for the revisions suggesting that the impact of the proposal and number of entities that would benefit from the revisions, be further explored.
WHY IS THIS APPLICABLE TO CLIENTS?
For small mid-cap companies and organisations with fewer than 750 employees, the change will mean that they will no longer need to create or update their existing records of activities (ROPAs) involving the processing of personal data in cases where these activities are not likely to result in a high risk to the rights and freedoms of data subjects.
NEXT STEPS
The proposal has been submitted to the ordinary legislative procedure (i.e. joint adoption of legislative acts by the European Parliament and the Council of the European Union).
DPC – Enforcement - TikTok
DATE OF UPDATE:
2 May 2025
LINKS
CURRENT STATUS
The DPC has fined TikTok Technology Limited ("TikTok") €530 million and ordered it to bring its processing into compliance within 6 months. The decision also includes an order suspending TikTok's transfers to China if processing is not brought into compliance within this timeframe. The sanctions follow its inquiry into the lawfulness of TikTok's transfers of personal data of users of the TikTok platform in the EEA to the People's Republic of China.
WHY IS THIS APPLICABLE TO CLIENTS?
The full decision in the case will be of interest to controllers transferring personal data to third countries. In this decision the DPC examined the supplementary measures and the Standard Contractual Clauses used by TikTok and found that they did not guarantee a level of protection essentially equivalent to that guaranteed within the EU.
This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.
