[mkreis]

It is in regards to the GDPR. If you're a European vendor and process PII, you must ensure some level of data protection. If you want to be on the safe side, you'll pick European providers instead of US hyperscalers (who have EU data centers, but are still US owned).

[mseri]

True, but we should also remember that some services like the fast responses and the image generations (may?) run in US data centres also for Mistral. So that part of the data, in principle, may end up in the ends of other extra European countries.

This said, I am really supportive of Mistral, like their work, and hope that they will get more recognition and more EU-centric institutional support.

[apwell23]

how does the 'memory' feature in mistral work wrt GDPR if i type in my personal information ?

[dax_]

GDPR doesn't stop personal data being stored. It handles whom it can be shared with, when it has to be deleted, and only collect as much data as required. Also gives transparency to the users about their data use.

And if I were to give over personal information to an AI company, then absolutely I'll prefer a company who actually complies with GDPR.

[apwell23]

yea i mean. how would they know how to remove it from 'memory' since they have no way to know with 100% accuracy which parts of my chart are PII.

[rsynnott]

The cautious approach on their part would be to just delete the whole thing on any subject access deletion request.

[apwell23]

yes if they aren't using that to train

[swores]

As a metaphor (well, a simile) think of it like if they were providing you with an FTP server or cloud storage. It's your choice what, if any, personal data you put into the system, and your responsibility to manage it, not theirs.

As to what to do if you, with a customer's permission, put their PD (PII being an American term) into the system, and then get a request to delete it... I'm not sure, sorry I'm not an expert on LLMs. But it's your responsibility to not put the PD into the system unless you're confident that the company providing the services won't spread it around beyond your control, and your responsibility not to put it into the system unless you know how to manage it (including deleting it if and when required to) going forwards.

Hopefully somebody else can come along and fill in my gaps on the options there - perhaps it's as simple as telling it "please remove all traces of X from memory", I don't know.

edit: Of course, you could sign an agreement with an AI provider for them to be a "data controller", giving them responsibility for managing the data in a GDPR-compliant way, but I'm not aware of Mistral offering that option.

edit 2: Given my non-expertise on LLMs, and my experience dealing with GDPR issues, my personal feeling is that I wouldn't be comfortable using any LLM for processing PD that wasn't entirely under my control, privately hosted. If I had something I wanted to do that required using SOTA models and therefore needed to use inference provided by a company like Mistral, I'd want either myself or my colleagues to understand a hell of a lot more about the subject than I currently do before going down that road. Thankfully it's not something I've had to dig into so far.