Germany Warns Public Authorities Not to Treat AI Privacy as an Afterthought

Key Takeaways

• Data Protection From the Start: Public authorities are expected to consider data protection issues at the earliest stages of AI development and deployment.
• Focus on Large Language Models: The guidance responds to widespread uncertainty around how LLMs handle, memorise, and reproduce personal data.
• Training and Use Risks Highlighted: Particular attention is paid to personal data processing during both the training and operational use of AI systems.
• Legality and Transparency Emphasised: Authorities must be able to clearly justify AI use and explain how personal data is processed.

Deep Dive

The Federal Commissioner for Data Protection and Freedom of Information (BfDI) has published new guidance aimed squarely at federal public authorities developing or using AI systems, particularly large language models (LLMs). The guide, “AI in Public Authorities – Considering Data Protection from the Outset,” is intended to help officials spot data protection issues early and take a more structured, practical approach to AI projects.

The timing is deliberate. Interest in LLMs has surged across the public sector, but clarity around how these systems handle personal data has lagged behind. According to the BfDI, that gap has left many authorities unsure where legal boundaries lie when training or deploying AI tools.

“There is considerable uncertainty for public authorities, particularly regarding the use of large language models,” said Louisa Specht-Riemenschneider, the Federal Commissioner for Data Protection and Freedom of Information. “With this guidance, I aim to contribute to legal certainty and highlight the data protection aspects that should be considered when using artificial intelligence in the authorities under my supervision.” She added that her office remains available to advise on the further review of specific AI projects.

Rather than offering abstract principles, the guide zeroes in on some of the most sensitive pressure points for public-sector AI. These include how personal data is handled during the training of LLMs, what happens when models memorise information, and how authorities can meet requirements around legality and transparency once systems are in use.

The guidance adds to a growing body of European oversight focused on keeping public trust intact as AI becomes more embedded in government decision-making and service delivery. For public authorities weighing the promise of AI against regulatory risk, innovation is welcome, but only if data protection is part of the design, not an afterthought.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.