General Data Protection Regulation — AI Provisions

The General Data Protection Regulation (GDPR), in force since 25 May 2018, is the EU's comprehensive data protection law. While not specifically an AI regulation, GDPR contains several provisions that have profound implications for AI systems that process personal data, making it one of the most impactful regulations for AI compliance globally.

Article 22 of the GDPR provides individuals with the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significant effects. This provision directly governs AI-based decision-making systems used in areas like credit scoring, insurance underwriting, recruitment, and public service delivery. Organisations must provide meaningful information about the logic involved, the significance, and the envisaged consequences of such processing.

The lawful basis requirements under Articles 6 and 9 are particularly challenging for AI systems. Consent must be freely given, specific, informed, and unambiguous — requirements that are difficult to meet when AI processing is complex and opaque. Legitimate interest assessments must balance the organisation's needs against individual rights, which requires understanding how AI systems impact data subjects.

Data minimisation (Article 5(1)(c)) presents a fundamental tension with AI development, which often benefits from large datasets. Organisations must ensure they collect only data that is adequate, relevant, and limited to what is necessary for the specified purpose. This impacts AI training data strategies and requires careful justification for dataset scope.

The right to explanation and transparency requirements (Articles 13-15) mandate that organisations provide meaningful information about automated decision-making. For complex AI models, particularly deep learning systems, providing understandable explanations of how decisions are reached is a significant technical and legal challenge.

Data Protection Impact Assessments (DPIAs) under Article 35 are mandatory for processing that is likely to result in a high risk to individuals' rights and freedoms. Most AI systems processing personal data at scale will trigger DPIA requirements. The DPIA must assess the necessity and proportionality of the processing, the risks to individuals, and the measures to address those risks.

Purpose limitation (Article 5(1)(b)) restricts the use of personal data to the purposes for which it was collected. AI developers must carefully consider whether training AI models constitutes a compatible purpose, and the recent GDPR amendments and regulatory guidance have provided some flexibility for scientific research and statistical purposes.

The international transfer provisions (Chapter V) also affect AI systems, particularly cloud-based AI services and models trained on data from multiple jurisdictions. Organisations must ensure adequate safeguards for any transfer of personal data outside the EEA.

Data protection authorities across Europe have been increasingly active in enforcing GDPR against AI systems. Notable enforcement actions have targeted facial recognition companies, AI-driven advertising systems, and automated credit scoring, establishing precedents that shape how organisations must govern AI processing of personal data.