new | ask | show | jobs
dathinab 6 hours ago  [ - ]

no, it's very much compatible with GDPR and other laws, as

it clearly (enough, kinda) communicated

1. what data they keep/collect

2. what they do with it (and that there is a reason to have it)

3. with whom they share it

4. how long they keep it

---

GDPR might require data minimalism, but that doesn't mean you can't keep "all" conversations/data. It just means you have to have a reason of why exactly need all of it (they have), only keep it as long as strictly necessary (they do) and not use it for other purposes (they claim to do that).

Also from a legal POV you can't really argue that collecting all conversations for detecting abuse patterns is "unreasonable"/"unnecessary" or similar, as to some degree the AI Act requires exactly that for "high risk" AIs/use cases. And while by the definition of the AI Act AWS Bedrock likely doesn't fall under "high risk" they can argue that some people could (against TOS) use it for "high risk" or "illegal" AI use cases which is part of the "misuse detection" thing for which they keep conversations for a month.

Lastly GDRP deletion requests still apply. But need to be processed within ... 1 month (wich AFIK in a generic duration context you can treat as 30 days, even through there is a single shorter month). So they "auto comply" with this, too.

krzyk 5 hours ago  [ - ]

> how long they keep it

AFAIR it is not clear, because they write it is "30 days, but ...":

> After 30 days, the data is deleted automatically, except in the rare cases where it's part of a safety investigation or we're legally required to keep it.

So you have a vague clause saying "when" and vague clause saying for "how long". If it will fly I would be surprised.

aveao 4 hours ago  [ - ]

This is all pretty standard with GDPR.

jerf 6 hours ago  [ - ]

"Also from a legal POV you can't really argue that collecting all conversations for detecting abuse patterns is "unreasonable"/"unnecessary" or similar"

It is also worth remembering that the entity that you are explaining this GDPR retention reasoning to is the government. I don't see the EU telling Anthropic or another AI company they can't do this for safety reasons... what I see is future legislation requiring them to give the EU access to these logs so they can enforce they own definitions of safety on it.