AI training with sensitive data – What healthcare and pharmaceutical companies need to know right now

Processing personal data is lawful if at least one of the conditions specified in Article 6(1) is met. 6(1), subpara. 1 of the General Data Protection Regulation (GDPR). German and European supervisory authorities regularly advise that data processing should be based on the necessity to safeguard legitimate interests (Article 6(1)(f) GDPR).

However, if the processing involves special categories of personal data (e.g. health data), one of the exceptions listed in Art. 9(2) GDPR must also apply.

The momentous decision of the Cologne judges

The Higher Regional Court of Cologne has now issued a ruling on the scope of the processing ban. The decision contains several significant statements regarding AI training with sensitive data.

1. Mixed data sets (i.e. data sets containing both special category personal data and 'simple' personal data) are subject to the processing prohibition under Article 9(1) of the GDPR.

2. The processing prohibition under Article 9(1) GDPR does not apply to data that the data subject has clearly made public. However, this exception should be interpreted narrowly and can therefore only justify the processing of data that a user provides about themselves. It does not apply to third-party data.

3. According to the Higher Regional Court of Cologne, the prohibition in Article 9(1) GDPR requires 'activation' by the data subject. In any case, the processing prohibition laid down in Article 9(1) of the GDPR should only apply after a request from the data subject if the processing of sensitive data is unintentional and not targeted.

Commentary on the Higher Regional Court of Cologne

This last point, in particular, deserves close attention. Art. 9 data is subject to the strictest processing requirements. The ECJ has rejected numerous practical approaches to reconciling this prohibition with reality. Accordingly, the search for viable solutions continues.

The Higher Regional Court of Cologne is now relying on the AI Regulation, among other things, to construct a pragmatic approach that realises the EU legislator's proclaimed requirement to develop trustworthy, human-centred AI, particularly for improving healthcare. The court is creating new opportunities for argumentation for all bodies that rely on Article 9 data for development and training purposes.

In this respect, the Higher Regional Court of Cologne has made a decision that could signal a paradigm shift. In practice, the absolute prohibition on processing must be relativised on a case-by-case basis. The necessary digitalisation cannot be achieved through abstract, typified conflicts of fundamental rights alone.

What should companies do now?

• Data inventory: Check whether your training data sets contain sensitive data and, if so, to what extent.
• Validate legal bases: Evaluate whether there is a viable legal basis under Articles 6 and 9 of the GDPR, and document this.
• Technical safeguards: Implement technical protective measures to prevent the unintentional processing of sensitive data.
• Clarify responsibility: Determine who is responsible in each situation, and how this can be operationalised in a legally binding way.

Do you have any questions regarding the development or operation of AI systems? We provide practical, solution-oriented support, including legal feasibility studies and data protection-compliant system architecture.