The Irish Data Protection Commission (DPC) has launched a "Cross-Border Statutory Inquiry" to investigate whether Google has complied with regional data protection laws while processing the personal data of European users for its foundational artificial intelligence (AI) model.
The inquiry focuses on determining if Google fulfilled its obligations under Article 35[2] of the General Data Protection Regulation (GDPR), which mandates a Data Protection Impact Assessment (DPIA) for high-risk data processing activities. Specifically, the DPC aims to assess whether Google conducted such an assessment before processing the personal data of E.U. and E.E.A. data subjects for the development of its AI model, Pathways Language Model 2 (PaLM 2).
PaLM 2, introduced in May 2023, is Google's advanced language model, designed to enhance multilingual, reasoning, and coding abilities. As Google's European headquarters are located in Dublin, the DPC is the primary body overseeing the company’s adherence to the European Union's stringent data privacy regulations.
The DPC emphasizes that this inquiry is crucial to protecting individuals' fundamental rights and freedoms, particularly when the development of AI systems poses a "high risk" to personal data.
This inquiry follows a series of recent data privacy issues involving other tech giants. For instance, social media platform X (formerly Twitter) permanently agreed not to use European users' personal data to train its AI chatbot, Grok, without prior consent. In August, the DPC announced that X had agreed to suspend processing the personal data from public posts of its E.U. and E.E.A. users between May 7, 2024, and August 1, 2024.
Similarly, Meta recently acknowledged that it had scraped public data from Australian Facebook users to train its Llama AI models without providing them an opt-out option. Following a request from the DPC, Meta has paused the use of content posted by European users and has also suspended the use of generative AI (GenAI) in Brazil after a preliminary ban by the Brazilian data protection authority, which raised objections to its new privacy policy.
In a related case, Italy’s data privacy regulator temporarily banned OpenAI's ChatGPT last year over concerns that its data processing practices violated local data protection laws.