The DPA takes the definition set out in the AI Act as a starting point to explain what an AI system actually is. It describes an AI system as a machine-based system that operates with varying levels of autonomy and can generate output based on analysis and pattern recognition. In doing so, the DPA emphasises that AI systems differ from traditional automated systems because they have the ability to infer on the basis of data or knowledge. The DPA further clarifies the distinction between an AI system and an AI model using a cooking analogy. Training an AI model is compared to developing a cake recipe, while the AI system is the one that actually prepares the cake. The quality of the output, or the cake, therefore, depends on the quality of the data, the ingredients, the reliability of the AI model architecture, the recipe, and the algorithm, the steps to be followed.
The DPA categorises AI systems into different types according to their purpose, namely expert systems, autonomous systems, cognitive computing, computer vision, AI powered robots and AI systems for natural language processing. Each category processes different types of personal data. Expert systems, for instance, often require structured personal data to function, while AI systems for natural language processing typically use chat histories and voice commands.
Regardless of the type of AI system, AI systems generally go through similar data processing activities throughout their life cycle. The DPA clarifies that data protection is relevant at every stage of this life cycle. The life cycle encompasses various steps:
- problem definition, where the purpose of the AI system is determined;
- data collection;
- data storage and management;
- data cleaning and preparation;
- training and validation;
- deployment and inference;
- monitoring,
maintenance and governance; and - retention, deletion or archiving of data.