The use of artificial intelligence (AI) offers enormous potential for simplifying our work processes. This includes, for example, the use of AI systems for video transcription and analysis of online meetings. With such tools, the creation of documentation, summaries and to-do lists of meetings, for example, can be taken over by the AI. In this article, you can find out what needs to be considered when using AI tools for video transcription from a privacy law and AI Act regulation perspective.
1. GDPR requirements
Personal data & responsibilities
The AI tools record and transcribe the content discussed within meetings in real time. Personal data, e.g. names and email addresses of the participants, technically collected usage data (e.g. IP addresses or device information) and information about the participants and the spoken word are also processed. Depending on the tool, other data may also be analysed and, for example, information about the voice, participation in the meeting or the emotional state may be documented and interpreted.
The business that uses the AI tool is considered the controller under GDPR for the processing of the personal data. Providers of these tools predominantly act as processors.
Legal basis
As the controller, we require a legal basis for the processing of the personal data. This can vary depending on the context. According to the Baden-Württemberg supervisory authority in addition to legitimate interests in accordance with art. 6(1)(f) GDPR, consent in accordance with art. 6(1)(a) GDPR often comes into consideration.
If, for example, sensitive data (e.g. health data) is also included or participants disclose this information, additional requirements in accordance with art. 9 GDPR must be observed and express consent must be obtained for the processing of this data.
Furthermore, the spoken word is specially protected in Germany under §201 StGB and may only be recorded with consent. Consent may therefore also be required.
Additional GDPR obligations
In addition, there are further obligations under the GDPR:
- Transparency and information obligations:
Informing participants about data processing prior to the use of video transcription and analysis, e.g. directly with the invitation to the meeting. In addition, this should also be pointed out again immediately before the recording, e.g. via a pop-up window, and the option to object/revoke should be given.
- Processing contracts:
Data processing agreements (DPA) may need to be concluded with the provider of the AI tool. It must be checked here whether the providers also process the data for their own purposes (e.g. for training the AI) and whether joint responsibility can be considered and a joint controller agreement must be concluded (JCA).
- Inclusion of the processing in the record of processing activities (RoPA)
- Creation of a deletion policy
- Implementation of technical and organisational measures (TOM)
- Carrying out a threshold analysis and, if necessary, a data protection impact assessment (DPIA)
2. Requirements of the AI Act regulation
If an AI system is used to record meetings, the AI Act must always be observed. Under the AI Act, a business that uses such an AI tool is deemed to be the deployer of an AI system. The specific obligations that apply depend on the specific purpose of use and the corresponding risk classes of the AI Act. If, for example, the AI tool is used to recognise participants’ emotions or analyse their mood, its use could fall under the prohibited practices under Art. 5 of the AI Act or at least be considered a high-risk AI system.
According to the AI Act, there are certain transparency obligations under Art. 50 AI Act and information must be provided about the interaction with an AI system and the output must be labelled as artificially generated. In addition, the requirement to build up AI literacy in the business in accordance with Art. 4 AI Act applies to the use of all AI systems.
The use of video transcription and analysis of online meetings offers clear advantages. However, the legal risks relating to personal data and confidential information about the business should be taken into account in the decision-making process. We would be happy to support you with the assessment under GDPR and check the requirements under AI Act.