Personal Information Protection Commission Recommends Improvements to 6 AI Companies
AI Training Data Includes Resident Registration Numbers and Other Information
"Human Review Process Must Be Clearly Communicated to Users"
The government has issued extensive improvement recommendations to six major large language model (LLM) companies related to artificial intelligence (AI) services, including OpenAI, Google, and Naver.
On the 27th, the Personal Information Protection Commission held a plenary meeting and resolved to recommend improvements to six operators that develop and distribute LLMs or provide AI services based on them, to address vulnerabilities in personal information protection. The companies subject to the improvement recommendations are OpenAI, Google, Microsoft (MS), Meta, Naver, and Lunit Technologies.
As concerns over privacy violations have increased with the spread of AI services, the Personal Information Protection Commission, together with the Korea Internet & Security Agency, conducted a preliminary inspection starting in November last year. The inspection found that while companies generally met the basic requirements under the Personal Information Protection Act, some deficiencies were identified regarding ▲processing of personal information included in AI training data ▲privacy violations through human review processes ▲measures for preventing and responding to personal information breaches and transparency.
First, it was revealed that important personal information such as resident registration numbers and credit card numbers could be included in the data that AI randomly learns from. In the case of LLM developers such as OpenAI, Google, and Meta, it was confirmed that measures to pre-remove such key identifiers from training data were insufficient.
The Personal Information Protection Commission demanded strengthening protective measures at each stage of AI service provision and decided to provide operators with URLs detected where the personal information of Korean citizens was exposed on the internet.
Guidance on Usage for Artificial Intelligence Research When Signing Up for AI Services and Examples of 'Processed by Human Reviewer' Notices on Conversation Input Screens
Additionally, the Commission recommended clearly notifying users that conversations with AI chatbots may be reviewed by humans. The Commission explained, "LLM-based AI service providers employ multiple reviewers to ensure the AI model provides accurate answers by directly viewing and reviewing question and answer content to create datasets," and "it was confirmed that this is used for AI model training and prompt improvements as well as service enhancement."
However, from the user's perspective, it is difficult to know that human reviewers are involved in the data they input, and there is a possibility of entering sensitive personal information or emails, which poses a risk of privacy infringement. The Commission recommended improving accessibility to functions that allow users to easily delete their input data.
Finally, it was confirmed that even AI services based on the same LLM differ in the degree of preventive measures against breaches related to personal and sensitive information. The Commission also recommended establishing processes to promptly address vulnerabilities found in AI services or LLMs.
A representative of the Personal Information Protection Commission stated, "We will continuously monitor to safely protect the personal information of data subjects in line with changes in the AI industry," and added, "We plan to take follow-up measures such as establishing AI guidelines and developing enhanced personal information protection technologies." Naver said, "We will continue to work closely with the Personal Information Protection Commission to prioritize user personal information protection in providing our services."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
