1. Artificial Intelligence and Data Privacy: What you should know

Artificial Intelligence (AI) refers to a set of technologies that enable computers to perform a range of advanced tasks that are typically associated with human intelligence, such as interpreting visual inputs, understanding and translating spoken or written language, answering questions, analysing data, making recommendations, generating computer code, and more.

AI tools are often provided as cloud solutions by external suppliers. They can be used either free of charge, with or without requiring user registration, or through a paid subscription.

These tools typically process personal data, such as their user account information, device IP address and how users interact with the system. In addition, the input entered by users, e.g. a text submitted for translation, may also include personal data. For this reason, their deployment must comply with CERN’s internal data protection framework, Operational Circular No. 11 (OC 11).

While AI can bring many benefits - these technologies can indeed support innovation and improve efficiency - their use also raises important legal and ethical questions, including related to data privacy.

In many cases, data privacy isn’t always considered early on - even though AI often rely on the processing of personal data.

Without proper attention to this aspect in projects’ design phase, AI deployment can lead to privacy risks such as unauthorised disclosure or use of personal data, lack of transparency, or decisions being made in ways that are unfair or difficult to explain to the persons concerned.

2. Procuring AI tools

So, what should be done before procuring or deploying an AI-based tool or feature?

First, be aware that under § 56.3 OC 11, significant technological changes to the processing of personal data require a Data Privacy Impact Assessment (DPIA). The deployment of AI currently still constitutes such a significant technological change. This means that if a DPIA has not yet been conducted for this or a similar processing activity, one must be completed before moving forward.

Once the DPIA is completed, you can proceed with the usual cloud procurement steps. This includes contacting the Cloud License Officer, who will coordinate the required privacy and security reviews of the service's terms and conditions.

And afterwards?

During the assessment and review phases, several mitigation measures may be recommended to ensure privacy risks are addressed. These may include:

• Implementing strong access controls.
• Limiting the categories of personal data processed.
• Ensuring human involvement by monitoring AI outputs to detect potential biases or unintended use of personal data.
• Ensuring clear documentation and transparency in how the AI system operates.

By taking these steps, we can all help ensure that CERN embraces the AI era in a responsible and compliant manner!

3. Using AI tools - Golden Rules for protecting your personal data in the age of AI

1. Think before you share

Often, it’s not necessary to share your own or others’ personal data when using AI tools. For instance, if you’re asking a chatbot to improve an email, it doesn’t need real names or contact details. Keep in mind that these conversations are usually stored and may be used to train the AI model. Only share personal data (and information in general!) if it’s truly necessary and you clearly understand how it will be processed.

2. Adjust your privacy settings

Take time to review and customise the privacy settings of AI tools and platforms to match your needs and comfort levels. For example, enable temporary chats or delete conversations that are outdated or no longer useful. Where available, activate privacy modes that prevent your data from being used to train the AI model.

3. Be critical

AI systems can make mistakes. Always question the results they produce, verify facts, and consider other viewpoints and sources before relying on AI-generated content.

4. Don’t rely solely on AI

AI can support your decisions, but it should not replace your own judgment. When using AI for work, ensure that you remain the author of your ideas.

5. Stay informed

Keep learning about how AI works, its benefits, and its risks. The more you understand, the better equipped you’ll be to use these tools safely and responsibly.

6. Know your rights

When using a CERN-official AI tool, information about how your personal data is processed will be provided in the CERN Layered Privacy Notice. If you are using an external tool not managed by CERN, data protection information will typically be found directly on the provider’s website, often in their privacy policy.