EDPS unveils revised Guidance on Generative AI, strengthening data protection in a rapidly changing digital era
EDPS unveils revised Guidance on Generative AI, strengthening data protection in a rapidly changing digital era
The European Data Protection Supervisor (EDPS) today published its revised and updated guidelines on the use of generative Artificial Intelligence (AI) and processing of personal data by EU institutions, bodies, offices, and agencies (EUIs), reflecting the fast-moving technological landscape and the evolving challenges posed by generative AI systems.
This updated guidance reinforces the EDPS’ commitment to advising EUIs to help them fully comply with their data protection obligations set out in Regulation (EU) 2018/1725.
Building on feedback from EUIs, the revised guidance offers clearer and more practical instructions for the responsible development and deployment of generative AI tools. It introduces a number of key updates, including:
• a refined definition of generative AI for greater clarity and consistency;
• a new, action-oriented compliance checklist to help EUIs assess and ensure the lawfulness of their processing activities;
• clarified roles and responsibilities, assisting EUIs in determining whether they act as controllers, joint controllers, or processors;
• detailed advice on lawful bases, purpose limitation, and the handling of data subjects’ rights in the context of generative AI.
Wojciech Wiewiórowski, European Data Protection Supervisor, said: “Artificial intelligence is an extension of human ingenuity, and the rules governing it must evolve just as dynamically. This first revision of our Orientations is more than an update; it's a reaffirmation of our dual mission: enabling human-centric innovation within the EU while rigorously safeguarding individual’s personal data. With this new version, we provide hands-on guidance to ensure that any generative AI used by EU institutions serves the public interest without compromising Europe’s data protection standards.”
The revised guidance underlines the EDPS’s proactive approach to monitoring technological developments and advising EU institutions on how to integrate innovation with respect for privacy and data protection. The EDPS will continue to track the evolution of generative AI and update its guidance where necessary to address emerging challenges.
The EDPS issues these guidelines within its role as independent data protection supervisory authority of the EUIs. The EDPS has not issued these guidelines within its role as a market surveillance authority under the EU’s Artificial Intelligence Act.
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2018/1725.
About the EDPS: The EDPS is the independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection. Our mission is also to raise awareness on risks and protect people’s rights and freedoms when their personal data is processed.
Wojciech Wiewiórowski (EDPS) was appointed by a joint decision of the European Parliament and the Council to serve a five-year term, beginning on 6 December 2019.
The selection procedure for a new EDPS mandate for a term of five years is still ongoing.