Transparency in AI Use: Legal Obligations and Practical Challenges
Artificial intelligence (AI) has become an integral part of our everyday lives. More and more companies are using AI systems to optimize processes, make decisions, or analyze user behavior. However, this raises important questions regarding data protection: Do users need to be informed when AI evaluates their data, makes assessments, or even initiates blocks?
These questions are increasingly crucial given the rapid development of AI technologies. Users have a fundamental right to know how their personal information is processed. Concurrently, companies face the challenge of explaining complex AI processes understandably without revealing business secrets. Therefore, balancing transparency and competitiveness is essential.
This balance involves not only data protection regulations – including the need for GDPR compliance for the self-employed – but also competition law aspects and industry-specific regulations, such as the Network Enforcement Act (NetzDG) for social networks. The issue of transparency in the use of AI is inherently complex and demands a differentiated approach.
Transparency: A Core Principle of Data Protection
Transparency is a central principle of the General Data Protection Regulation (GDPR). Data controllers must inform data subjects clearly and comprehensively about how their data is processed. This empowers users to decide whether they consent to data processing and to exercise their rights.
According to Art. 12 et seq. GDPR, this information must be provided in a "concise, transparent, intelligible, and easily accessible form, using clear and plain language." The specific purposes of the processing must also be stated, as per Art. 13 para. 1 lit. c GDPR. This applies especially to the use of AI.
AI systems often make decisions that are difficult for individuals to comprehend, leading to risks of discrimination and erroneous judgments. Therefore, it is vital for companies to openly communicate their use of AI. This enables affected individuals to assess the potential consequences of such data processing.
Simply making general references to AI use is insufficient. Instead, the essential functionalities and decision criteria of AI systems must be explained. This should be done insofar as possible without disclosing business secrets, as highlighted in Recital 58 GDPR.
Information Obligations for AI Use
The AI Regulation (Artificial Intelligence Act), adopted by the European Parliament in April 2024, introduces specific transparency obligations for high-risk AI systems. These include AI applications critical for access to education, employment, justice, or law enforcement. For start-ups, navigating these new rules means ensuring compliance with the EU AI Act. Providers of such systems must disclose that AI is being used and explain its operation.
This ensures that affected individuals understand the basis for decisions, as stipulated in Art. 1 and Annex III of the AI Act. AI systems are considered high-risk if they serve as a safety component for products subject to third-party conformity assessment or if used in sensitive areas like employment, education, law enforcement, or justice.
Users must also be informed about their rights, such as the right to object to automated decisions (Art. 22 GDPR). However, information obligations are also sensible and necessary for less risky AI systems. Any form of automated analysis impacts users' rights, making transparency crucial.
Companies should therefore clearly state in their privacy policies if they use AI for purposes such as:
- Analyzing user behavior and creating profiles.
- Evaluating or categorizing users.
- Making automated decisions (e.g., blocking or refusal).
They must explain the purposes of AI-supported processing and its potential impact on users. Furthermore, companies should specify whether the AI systems were acquired from third parties or developed in-house.
The ECJ ruling of 13/05/2014 (C-131/12 – Google Spain) supports this, requiring search engine operators to provide information about their ranking algorithm's functioning, provided it doesn't reveal business secrets. This principle of transparency extends to other AI applications.
Competition Law Claims and NetzDG
Beyond data protection, competition law claims can also arise if companies conceal the use of AI. For instance, a misleading privacy policy may constitute a violation of 5.html" target="_blank" rel="noopener">Sections 5 and 5a.html" target="_blank" rel="noopener">5a UWG.
Businesses that mislead users about data processing are acting unfairly and can face injunctions from competitors. The BGH clarified this in its decision "Customer card bonus program" of 29.07.2021 (I ZR 40/20). Accordingly, misleading information includes concealing or embellishing material details about data processing.
A non-transparent privacy policy can also be anti-competitive if it obscures the scope of consent (cf. OLG Frankfurt, Urt. v. 27.06.2019 – 6 U 6/19). This emphasizes the need for clear and understandable communication regarding AI use.
Special Provisions for Social Networks under NetzDG
The provisions of the Network Enforcement Act (NetzDG) apply to social networks. Platforms must inform users in their terms and conditions and community standards about how they review and remove content (Section 3b NetzDG). If AI is utilized for this purpose, its application must also be made transparent.
Failure to comply can result in fines from the Federal Office of Justice. The judgment of the Higher Regional Court of Karlsruhe of 28.02.2022 (15 W 4/22) is particularly relevant, which required Facebook to disclose its deletion practices. The court found that Facebook's community standards lacked sufficient information on the criteria for removing posts, and the use of AI for detecting hate speech and other prohibited content was not adequately explained.
The Challenge of Comprehensible Information
A significant challenge is that many users do not read privacy policies due to their length and complexity. Companies must therefore communicate necessary information about AI use as concisely and understandably as possible. This requires innovative approaches to information design.
AI systems are often perceived as "black boxes" whose decision-making processes are difficult for experts to grasp. It is crucial to highlight key aspects and explain them in plain language. New, user-friendly methods are needed, such as:
- Layered notices
- Icons and videos
- Interactive elements like chatbots
The goal is to convey core messages quickly while allowing users to access more detailed information if needed. However, the information must not be overly superficial; it should cover all essential aspects. Creativity is required to present complex issues clearly without overwhelming the user.
Information should also be updated regularly as AI usage evolves. The Data Protection Conference’s guidance on AI and data protection from 06.05.2024 offers valuable guidelines. It outlines best practices for designing data protection notices when using AI, including the use of pictograms and traffic light colors to visualize risk levels.
Conclusion
AI presents significant opportunities but also entails risks for fundamental rights and data protection. This makes transparency all the more critical. Companies utilizing AI should proactively inform users about it, not merely as a legal requirement but also as a means to build trust.
Only when individuals understand how their data is used can they trust AI systems and benefit from their advantages. Data protection should not be viewed as a barrier but as an enabler for AI applications that serve the common good. Simultaneously, information obligations must be implemented proportionately; excessively long and incomprehensible data protection declarations serve no one.
Instead, a new "information culture" is needed to reconcile transparency and usability. If successful, all parties benefit: companies can harness AI's potential, users retain control over their data, and data protection becomes a quality feature for trustworthy AI applications. This requires continuous dialogue among business, science, politics, and civil society to jointly develop standards for the ethically responsible and legally compliant use of AI. The EU's AI Regulation offers significant impetus, but its principles must be actively applied in practice.