Less is more? On the Data Minimization in AI-based Personal Data Processing: Navigating Divides, Shaping Tomorrow in the Era of GDPR

Sammanfattning: This thesis is written in five Chapters. Chapter One starts with an introduction, then it focuses on the research questions and the limitations. Chapter two, describes data processing, especially AI-based personal data processing, and focuses on the possible risks of it. Chapter three explores the principle of data minimization in the GDPR, its application, techniques, and measures to perform it, and challenges. Chapter four is about the gaps in the GDPR regarding data minimization in AI-based personal data processing and discusses possible future challenges. The final Chapter summarizes the thesis and suggests recommendations. The key questions this thesis aims to answer are: To what extent is the GDPR sufficient and effective for AI technologies regarding data minimization? While AI models require vast amounts of data for training and proper functioning, how can a balance be struck between the rapid growth of AI technologies and their conformity with the principle of data minimization under the GDPR? What are the current gaps in the GDPR? What are the future concerns? This thesis discusses that while GDPR has taken long steps towards data protection, it falls short when it comes to data minimization in AI-based personal data processing. There are several challenges, such as technical and legal issues. Technical issues such as the large amounts of data that AI models need, and legal issues such as the lack of clear guidance in the GDPR regarding data minimization and AI. There are several concerns for the future as well, such as the rapid development of AI technologies, the increasing demand for personal data for AI purposes, and the conflicting interests of different stakeholders. Finally, this thesis provides a comprehensive examination of data minimization in AI-based personal data processing, evaluates the effectiveness of the GDPR in this context, specifies gaps and challenges, and introduces future concerns. It emphasizes the need for effective enforcement mechanisms, adequate safeguards for data subjects, ongoing reassessment of data minimization, and consideration of ethical standards in data minimization. This study concludes with an emphasis on the need for harmonization of data protection regulations, promotion of industry best practices, and public awareness and education about data minimization.