The rise of generative artificial intelligence (AI) tools has been accompanied by a surge in privacy legislation worldwide. From the United States to countries around the globe, new or stricter privacy laws have been implemented in recent years, many of which explicitly regulate the application of AI.

Managing personal data within generative AI tools can be particularly complex when it comes to human resources (HR) data. Companies handle a wealth of personal information about their workforce, including sensitive data like health information and performance evaluations. Consequently, HR data is often the most sensitive information that companies deal with.

Within this complex space, there are three key issues to consider. Firstly, disclosing personal data to AI tools puts employers at risk of losing control of the data and facing potential data breaches. Secondly, generative AI services may process and collect personal data without adhering to data protection requirements, potentially making employers liable for violations. Thirdly, employers must ensure compliance with data rights requests when using generative AI services, all in accordance with applicable laws.

The risks associated with feeding personal data into generative AI cannot be ignored. While these tools excel in synthesizing and summarizing information, they can also put personal data at significant risk. Consider the hypothetical scenario of Acme Company, where the head of HR uses a generative AI service to create a presentation on employee compensation. Unknowingly, the data becomes publicly available, leading to employee embarrassment and legal consequences.

Disclosure risks are a significant concern when using generative AI services. Personal data may be inadvertently or intentionally revealed by these tools, especially when they fine-tune their analysis based on user information. Users’ queries may also be disclosed to others. Before providing personal data to a generative AI service, companies should carefully evaluate the terms of use and negotiate protections for their data.

Deidentifying data can help mitigate risks associated with generative AI. However, meeting the high deidentification standards set by privacy laws requires more than simply removing names and identification numbers. Companies must ensure that recipients of deidentified data have agreed not to reidentify it, following the requirements of applicable laws.

Beyond the risks of submitting data, there are potential liabilities associated with using data collected by generative AI services. When employers rely on reports or outputs generated by these services, they may inherit legal risks arising from how the AI service handles the input data. While the AI service may be primarily liable for data protection violations, employers using these outputs could also be held liable, especially if they have signed service provider agreements with the AI service.

Navigating the intersection of generative AI and privacy obligations requires careful consideration of data protection issues. Companies should prioritize data security, evaluate terms of use, consider conducting due diligence on service providers, and ensure compliance with applicable laws and regulations.