Under the GDPR, controllers are required to provide information relating to what personal data they process, and how that processing takes place.
If the personal data the organization includes in AI prompts has been collected directly from individuals, those individuals should be provided with a copy of the organization’s privacy notice “at the time when personal data are obtained.” If, on the other hand, the personal data the organization includes in a prompt has been collected from a third party source (e.g., scraped from the internet or received from another controller), the GDPR generally permits the controller to provide a copy of its privacy notice “within a reasonable period” after the data is collected. Furthermore, in the following situations the GDPR does not mandate that a privacy notice be directly provided to individuals:
- Individuals already know the organization’s privacy practices. If a “data subject already has the information” that would be contained within a privacy notice the organization is not required to provide one to them.
- Impossibility. If providing a privacy notice directly to individuals is “impossible” an organization is relieved of the requirement. That said, the GDPR requires that the organization “take appropriate measures to protect individuals’ rights and freedoms and legitimate interests, including making the information publicly available.”
- Disproportionate effort. If providing a privacy notice “would involve a disproportionate effort” an organization is not required to provide the notice. That said, the GDPR requires that the organization “take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available.”
- Processing cannot be disclosed pursuant to European Union law. If a European Union Member State imposes an obligation of secrecy that would prohibit an organization from disclosing the fact that it has processed an individual’s information, the organization is not required to provide individuals with its privacy notice. This exception would likely not apply to most organizations’ inclusion of personal data as part of AI prompts.