In December 2023, 'Bumble for Friends'—a feature of the dating app Bumble—used AI to generate 'AI icebreakers.' These are messages that users can use to 'break the ice' with their matches. To generate these AI icebreakers, AI technology (powered by OpenAI’s ChatGPT) is employed. In doing so, Bumble uses users’ personal profile information as input and shares (sensitive) personal data with OpenAI.
To enable the use of AI-generated icebreakers, users of Bumble for Friends received a pop-up upon opening the app stating: “AI breaks the ice. We use AI to help you get started with chatting. This allows you to ask questions that match the profile information of our members.” If users did not click “okay,” the pop-up would continue to appear until they did.
A complaint was filed against Bumble by None of Your Business (“NOYB,” European Center for Digital Rights) regarding this processing of personal data. NOYB argues that Bumble failed to comply with the six core principles of the General Data Protection Regulation (GDPR):
The complaint is based on three incidents:
Determine whether you are processing personal data within the meaning of the GDPR.
Comply with the core principles of the GDPR:
Ensure that any processing of personal data is lawful, fair, and transparent to the data subject.
Collect personal data for specified, explicit, and legitimate purposes and do not process it further in a way incompatible with those purposes.
Ensure that the data is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
Keep personal data accurate and up to date where necessary.
Store data in a form that permits identification of data subjects for no longer than necessary for the purposes for which the data is processed.
Process personal data in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
Ensure that the processing is lawful by meeting at least one of the legal bases for processing (Article 6 GDPR):
If relying on consent, ensure that you can demonstrate that the data subject has given consent to the processing of their personal data.
Ensure that consent is freely given. Individuals must have a genuine choice, without pressure, coercion, or negative consequences for refusal.
Do not process special categories of personal data (such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for uniquely identifying a person, health data, or data concerning a person’s sex life or sexual orientation – Article 9 GDPR), unless one of the exceptions in Article 9 applies, such as having explicit consent for one or more specific purposes.
Assess whether a Data Protection Impact Assessment (DPIA) is required and conduct one if necessary.
Ensure that data subject rights, such as the right of access, are honored within the appropriate timeframes.
If you need assistance with privacy matters, the use of AI, or conducting a DPIA, our firm is here to help. We have extensive legal expertise in the field of privacy and are happy to support you. Please contact Thaïna Franck.
Would you like to receive a monthly overview of updates and blogs in your inbox? Subscribe to our newsletter here!
