GenAI and Privacy

Privacy Principles

Within the world of artificial intelligence, data privacy is a major concern. The nature of artificial intelligence, including the reliance on abundant and accurate data, lends itself to the potential abuse of personal data. Each AI model or service is different, but six privacy principles drive how data should be managed, whether when simply using a GenAI service or training a new GenAI model. These privacy principles include purpose limitation, data minimization, lawfulness, transparency, protection, and duration. If your data use, or that of a service you use, violates these principles, you must find an alternative that adheres to these privacy principles.

Purpose Limitation

November 21, 2023 11:55 AM

From the start, we are clear about the purposes for processing personal data. These purposes are explicit and legitimate. We do not further process the data in a way incompatible with those purposes.

Data Minimization

November 21, 2023 12:03 PM

We confirm that the personal data we are processing is sufficient to properly fulfill the stated purpose, has a rational link to that purpose, and is limited to what is necessary. We do not collect or maintain more than we need for that purpose.

Lawfulness

November 21, 2023 12:07 PM

We verify that the collection and use of personal data is justified, legal, and is either necessary for the performance of a contract, pursues a legitimate interest, is necessary for compliance with a legal obligation or based on consent.

Transparency

November 21, 2023 12:10 PM

We are open and honest with people from the start about who we are, and how and why we use their personal data. We provide them with clear and intelligible information either through concise privacy notices or just-in-time statements.

Protection

November 21, 2023 12:16 PM

We verify that we have appropriate security measures in place to protect the personal data we hold against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

Duration

November 21, 2023 12:19 PM

We do not keep personal data for longer than needed. After the original, defined purposes for which the data was collected are achieved, we securely destroy or de-identify the data in accordance with defined standards and policies.

Risk Factors for Violating Privacy Laws

If you’re considering using a GenAI service for your work, consider asking yourself the following questions as potential indicators of whether the service uses data in a way that protects privacy:

Risk Factor	Example
Do they have a current privacy policy?	If a service doesn't have a privacy policy, it almost certainly doesn't handle data in a safe way.
Is there an option not to use your data to train models?	Don't use your data to train models whenever possible. Some services will reset this setting whenever you open the app, so be careful!
How is data going to be stored?	Ensure that the way a service stores their data is secure. Insufficient security can lead to data leaks.
Does the service disclose data sharing policies?	If the service does not disclose data sharing policies at all, treat the service as if it will share your data.