https://taxonomy.eticas.ai/risk/privacy-confidentiality
Maturity: established
The risk that an AI system collects, processes, or infers personal information in ways that infringe on individuals’ rights to control their data (privacy), or that sensitive information is exposed, accessed, or shared without authorization (confidentiality). This includes risks from data leakage, re-identification, unauthorized use, or insufficient safeguards.
Also known as: Privacy · Data Privacy
System type: ADM and LLM systems
Lifecycle stages: Pre Processing, In Processing, Post Processing
| Framework | Reference |
|---|---|
| EU AI Act (Regulation 2024/1689) | Article 10(5) — special categories of personal data + Recital 47 (fundamental rights including privacy) |
| ISO/IEC 42001:2023 — AI Management System | Privacy considerations for AI systems |
| AIUC-1 — AI Underwriting Company Standard | Data & Privacy domain |
| Council of Europe Framework Convention on AI (CETS No. 225) | Article 11 — Privacy and personal data protection |
| IEEE Std 7002-2022 — Data Privacy Process | IEEE 7002-2022 (whole standard) |
| NIST AI 600-1 — Generative AI Risk Profile | Data Privacy |
| NIST AI Risk Management Framework (AI 100-1) | Privacy-Enhanced |
| OECD AI Principles | Human rights, rule of law, fairness & privacy |
| TC260 AI Safety Governance Framework (v2.0) | §3.1.2(a) Data risks — collection without consent + §3.1.2(d) Data risks — PII leaks |
| Framework | Reference |
|---|---|
| MIT AI Risk Repository | Compromise of privacy by obtaining, leaking or correctly inferring sensitive information |
| W3C Data Privacy Vocabulary — AI Extension | Personal Data Handling (DPV core) |
| AIR 2024 | Legal & Rights → Privacy (Unauthorized Privacy Violations × Sensitive Data types) |
| IBM AI Risk Atlas | Input → Data privacy + Output → Privacy violations |