Morrison Foerster is an international law firm with lawyers practicing throughout the United States, Asia, and Europe. Click to discover more.

mofo_share_image.jpg

Morrison Foerster

common-default.jpeg

Terms / Notices

Cookies

Privacy Policy

Reporting Hotline

Attorney Advertising

Alumni

  Linkedin

MoFo LinkedIN

  Facebook

MoFo Facebook

YouTube

MoFo Youtube

Morrison Foerster - Footer

Data Subjects as Controllers: Violation of GDPR's Fairness Principle

You have not solved the recaptcha challenge yet or session expired, try again.

Email Disclaimer

Disclaimer

Unsolicited e-mails and information sent to Morrison Foerster will not be considered confidential, may be disclosed to others pursuant to our <a href="https://www.mofo.com/about/privacy-policy.html">Privacy Policy</a>, may not receive a response, and do not create an attorney-client relationship with Morrison Foerster. If you are not already a client of Morrison Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.

Feedback

mofo-logo-2022.svg

People

Capabilities

Resources

About

Culture

Offices

Careers

Stay Connected

MoFo’s Lokke Moerel and Marijn Storm published an article with IAPP discussing whether individuals can be considered controllers for their own inputs and outputs, when using LLM chatbots.

We are Morrison Foerster — a global firm of exceptional credentials. Our clients include some of the largest financial institutions, investment banks, and Fortune 100, technology, and life sciences companies. Our lawyers are committed to achieving innovative and business-minded results for our clients, while preserving the differences that make us stronger.Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Prior results do not guarantee a similar outcome.

About Morrison Foerster

people-default-header-desktop.jpg

people-default-header-mobile.jpg

Default Meta Data

MoFo’s Lokke Moerel and Marijn Storm published an article with IAPP discussing whether individuals can be considered controllers for their own inputs and outputs, when using LLM chatbots. In its recent discussion paper, the Hamburg data protection authority considers deployers of LLM chatbots to be responsible for their prompts and resulting output. If this opinion is followed and consumers themselves are qualified as controllers, all responsibilities under the GDPR are then transferred to the individual. The taskforce of the European Data Protection Board rightfully considers this risk transfer a violation of the GDPR's fairness principle.The article is part 2 of a series on key data protection issues posed by large language models. Read the <a href="https://iapp.org/news/a/data-subjects-as-controllers-violation-of-gdpr-s-fairness-principle" target="_blank">full article</a>.The previous article, titled “Using special categories of data for training LLMs: never allowed?”, focused on the “lawfulness” of web scraping for purposes of training a LLM. Read the <a href="https://iapp.org/news/a/using-special-categories-of-data-for-training-llms-never-allowed-" target="_blank">full article</a>.

Data Subjects as Controllers: Violation of GDPR's Fairness Principle

Sign Up

<div class="videoWrapper"><iframe class="sticky-video" title="Meet Lokke Moerel, Privacy and Data Security Senior Of Counsel" src="https://www.youtube-nocookie.com/embed/uk873cH6OuE?rel=0" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen="1" title="iframe"></iframe></div>Among the world’s best-known privacy and cybersecurity advisers, Lokke Moerel is regularly called upon by some of the most sophisticated multinational organizations to confront their global privacy and ethical challenges. Lokke routinely offers guidance to clients when implementing new technologies and digital business models and assists them with their global cybersecurity incident response and regulatory investigations.An authority on Artificial Intelligence (AI), Big Data, and the Internet of Things, Lokke has a proven track record helping clients shape complex AI projects that combine global data assets of multinational companies in the healthcare, financial services, technology, and recruitment sectors, with the intricate technologies of tech giants to create next generation AI solutions. An industry thought leader, Lokke presented a review of the drafted AI Regulation to a closed session of European Commission and Members of Parliament on behalf of the World Employment Federation and has spoken at SXSW on the subject of privacy and cybersecurity in the Metaverse. Lokke is MoFo’s lead counsel on Binding Corporate Rules (BCR) and has unsurpassed experience advising multinational companies in obtaining their BCR approvals throughout the EU, having authored the leading textbook on BCR published by Oxford University.Lokke is also professor of global ICT law at Tilburg University and co-academic director of the Tilburg University professional learning programs “Big Data: AI & Law” (teaching Algorithmic Accountability) and “Advanced Cyber Security and Governance.” Lokke is a member of the Dutch Cyber Security Council (the independent advisory body of the Dutch cabinet on cybersecurity), member of the Monitoring Committee of the Dutch Corporate Governance Code, and non-executive board member of several nonprofit organizations.Lokke has practiced law in the Netherlands, London, and Berlin, and is now resident in MoFo’s Brussels office. She is also a member of MoFo’s global Environmental, Social, and Governance (ESG) steering committee.

Lokke Moerel

Senior Of Counsel

Marijn Storm specializes on the intersection of law and technology, with a focus on cutting-edge technologies, such as (generative) artificial intelligence (AI) and large language models, ethical tech, and biometrics. Based in Morrison Foerster’s Brussels office, he advises global companies and organizations on a wide range of their most complex and pressing privacy and data security challenges.Marijn’s deep experience in both law and technology enables him to navigate the rapidly evolving landscape of privacy, data security, and technological innovation. Bridging the gap between legal requirements and technological advancements, Marijn advises and educates in-house legal teams on how to effectively manage and oversee technical applications such as AI and, specifically, generative AI. In addition, Marijn trains technical teams on implementing technical solutions in a privacy-by-design fashion, enabling compliance with AI and data protection laws around the world.Marijn also represents clients in class action and other litigation. For example, he has defended both digital advertising and public health clients against claims of alleged GDPR violations. In addition, he counsels clients on investigating and responding to major cybersecurity and ransomware incidents, including notification and related obligations. Marijn has also assisted a number of companies in obtaining regulatory approval for their Binding Corporate Rules, in both the EU and the UK.A recognized thought leader, Marijn regularly speaks at international data protection conferences (including IAPP) on topics such as the future of behavioral biometrics, the ethical application of AI, and developments in EU class actions. Marijn frequently publishes articles and client alerts on a variety of evolving topics, such as the EU AI Act and the NIST AI Risk Management Framework. Since 2019, he has been a guest lecturer at the Tilburg Institute for Law, Technology, and Society, where he teaches Algorithmic Accountability within the biannual course on AI & Law.Marijn is a Dutch-qualified lawyer and is fluent in Dutch and English.

Marijn Storm

Of Counsel

Privacy + Data Security