Processing of synthetic data in AI development for healthcare and the definition of personal data in EU law

Abstract

Abstract Artificial intelligence (AI) has the potential to transform healthcare, but this requires access to health data. Synthetic data generated through training machine learning models on real data offers a way to balance innovation and privacy protection. However, uncertainties in the practical classification of synthetic health data under the General Data Protection Regulation (GDPR) currently limits the possible benefits of synthetic data. Through a systematic analysis of relevant legal sources and an empirical study, this article explores whether synthetic data should be classified as personal data under the GDPR. The study investigates the residual identification risk through generating synthetic data and simulating inference attacks, challenging common perceptions of technical identification risk. The risk of identification depends on several factors. The findings suggest synthetic data are often likely anonymous since results of an attack cannot easily be verified. The legal analysis highlights uncertainties about what constitutes a ‘reasonably likely’ risk and a need to further investigate a threshold for accepted risk. To promote innovation, the study calls for clearer regulations to balance privacy protection with the advancement of AI in healthcare.

Ähnliche Arbeiten