Argentine Data Protection Authority Co-Sponsors of the General Assembly Resolution on Generative Artificial Intelligence Systems Privacy

On October 20, 2023, the General Privacy Assembly (GPA) published its Resolution on Generative Artificial Intelligence Systems. The Resolution is sponsored by the European Data Protection Committee and co-sponsored by the Argentine Agency of Access to Public Information, the Ombudsman of the City of Buenos Aires (Argentina), the National Commission on Informatics and Liberties (CNIL, France), the Council of Europe, and the National Institute of Transparency (Mexico), and other regulatory bodies.

In its whereas, the Resolution expresses its concerns about generative artificial intelligence systems being fed personal data collected from publicly accessible sources. Further, it points out that the existing principles and laws on data protection and privacy—including data protection regulations—are applicable to generative artificial intelligence products and services, even when specific laws and policies on artificial intelligence are evolving in various jurisdictions.

The Resolution also highlights that, like any other artificial intelligence system, generative artificial intelligence must be conceived, developed, and operated responsibly and reliably, guided by principles of data protection, privacy, human control, transparency, and democratic values.

Thus, developers, providers, and implementers of generative AI systems must integrate data protection and privacy into all stages of development —from conception to the management of new products and services using such systems— following the principles of data protection and privacy by design. They must also keep records of their decisions and analyses in data protection and privacy impact assessments, which, while not explicitly mandatory in Argentina yet, it is recommended by the local regulator.

Finally, the Resolution emphasizes the importance of having a legal basis for data processing, as well as the need to limit its use and purpose, minimize data collection, and ensure accuracy. It also underscores the importance of transparency, of implementing security measures, of integrating privacy measures by design and by default, of recognizing data subjects' rights, and complying with the principle of accountability.