A new regulation came into force on 1 January, supplementing the GDPR. It speeds up the work of data protection authorities in enforcement cases that involve multiple countries in the EU/EEA. The regulation provides, among other things, for time limits, stages of investigation, the exchange of information between authorities, and the rights of the parties concerned. In future, data protection authorities will have to issue a resolution proposal on a cross-border case as a rule within 12-15 months. In the most complex cases, the deadline can be extended by 12 months. The regulation will apply from April 2027. 

Stay up to date! Sign up to receive our fortnightly digest via email.

UK Adequacy decision

The European Commission adopted two new adequacy decisions for the UK – one under the GDPR and the other under the Law Enforcement Directive, until 27 December 2031.  In accordance with the new decisions, transfers of personal data from the EU to the UK can continue to take place without any specific framework. Following Brexit, the Commission adopted two adequacy decisions vis-à-vis the UK in 2021. Sunset clauses had been introduced in each of the decisions. The decisions expired in mid 2025, but have been extended until the end of the year. The EDPS has since issued an opinion on these decisions.

More legal updates

US consumer privacy updates: In Kentucky, as well as Indiana, Rhode Island and several other states, GDPR-enhanced legislation related to consumer data privacy took effect on January 1. In Kentucky, in particular, the new legislation establishes the rights to confirm whether data is being processed, to correct any inaccuracies, to delete personal data provided by the consumer, to obtain a copy of the consumer’s data, and to opt out of targeted advertising, the sale of data, or profiling of the consumer along with requirements for entities that control and process their data.

Similarly, in January, new regulations became effective in California regarding a risk-assessment framework for certain high-risk data processing activities, as well as transparency and notice requirements, disclosure of sensitive personal information, data breach reporting, consumer rights requests, and data collection and deletion by data brokers. 

AI use by banks

The Hungarian data protection regulator issued a report on the processing of personal data by AI systems used by banks in Hungary (available in English). Some good practices indicated by the report include:

• AI recognition of images, voices and texts must be reliable, without compromising data security. Principles of data minimisation and storage limitation must be observed.
• The quality of the data used for AI training is important, as well as identifying whether or not the training data needs to be linked to a specific natural person. In many cases, pseudonymisation or anonymisation can be used to mitigate privacy risks before training.
• The use of ‘Shadow AI’ is becoming a new phenomenon. It covers all cases where, in an organisation, users use AI systems in an unregulated, non-transparent, uncoordinated manner from the point of view of the organisation, either for work or for some personal use, using the organisation’s IT infrastructure. 
• In their operations, certain banks under review also use analytical models to analyse and predict creditworthiness and product affinity, the precise classification of which may raise questions. They often operate on a statistical basis, but may also have an AI-based component, and it is necessary to apply the appropriate safeguards. 

More from supervisory authorities

EU Data Act: The French privacy regulator CNIL explained how the EU Data Act is going to reform the EU digital economy, gradually implemented through 2026-2027. The Act sets fair rules on the access and use of personal or non-personal data generated by connected objects. It allows anyone who owns or uses connected products to access the data generated by this object. It also facilitates their sharing with other actors, in particular by prohibiting unfair contractual clauses.

The implementation of this regulation must be done in conjunction with the GDPR. In particular, it provides that in the event of a contradiction between the two texts, it is the GDPR that prevails when personal data is concerned.

Similarly, the Digital Governance Act should be taken into account, which has set up new trusted intermediaries to encourage voluntary data sharing.

Bodycam use: At the end of December, the CJEU ruled in a case regarding a data controller’s obligation to provide information when collecting personal data via a body-worn camera worn by ticket inspectors on public transport. The collection of personal data by means of body-worn cameras constitutes collection directly from the data subject. The information obligation must therefore be respected at the time of collection, Article 13 of the GDPR. The information obligation can operate at several levels, where the most important information is, for example, stated in a warning sign, while the remaining information can be provided in another appropriate (and easily accessible) way.

Disney US settlement

On 31 of December, a federal judge required Disney to pay 10 million dollars to settle FTC allegations that the company allowed personal data to be collected from children who viewed child-directed videos on YouTube without notifying parents or obtaining their consent as required by the Children’s Online Privacy Protection Rule (COPPA Rule). A complaint alleged that Disney violated the COPPA Rule by failing to properly label some videos that it uploaded to YouTube as “Made for Kids”.

The complaint alleged that by mislabeling these videos, Disney allowed for the collection, through YouTube, of personal data from children under 13 who viewed child-directed videos and used that data for targeted advertising to children.

More enforcement decisions

TikTok investigations: According to vitallaw.com, the Spanish and Norwegian data protection authorities have issued warnings to TikTok users regarding the company’s transfer of personal data to China, where national laws could require that data be shared with Chinese authorities. TikTok already faces EU fines over violations of the GDPR and was ordered to stop transferring personal data to China. 

So far, TikTok has been granted an interim injunction that allows the company to continue transferring personal data to China until the case is resolved. As a result, regulators are warning users to read the online platform’s notifications and privacy policies, check their privacy settings and think about what they share in the app. It is also recommended that businesses consider whether to continue using TikTok and conduct risk assessments.

PCRM software fine: Finally, the French CNIL has fined Nexpublica 1,700,000 euros for failing to provide sufficient security measures for a tool for managing the relationship with users in the field of social action.  Nexpublica (formerly Inetum Software), specialises in the design of computer systems and PCRM software used in particular by homes for disabled people.

At the end of 2022, Nexpublica customers made data breach notifications with the CNIL, because users of the portal had access to documents concerning third parties. The CNIL then carried out inspections of the company, which revealed the inadequacy of the technical and organisational measures. It is considered that the vulnerabilities found:

• were mostly the result of a lack of knowledge of the state of the art and basic safety principles;
• were known and identified by the company through several audit reports.

Despite this, the flaws were only patched after the data breaches.

The post Data protection digest 3 Jan 2026: Improvements are being made to GDPR enforcement, US consumer privacy, and emerging “Shadow AI” concerns appeared first on TechGDPR.

Executive Summary: The Dual Compliance Imperative and Strategic Findings

Organisations that leverage advanced data processing, particularly those developing complex Artificial Intelligence (AI) systems, face a critical and often unrecognized strategic risk: the prolonged retention of training data. European Union (EU) law establishes conflicting imperatives regarding data lifecycle management, creating a fundamental compliance challenge. The General Data Protection Regulation (GDPR) mandates personal data erasure as soon as the data is no longer required for its established purpose, while the newly implemented EU AI Act demands lengthy archival of system documentation.

The Inescapable Regulatory Conflict: Delete Now vs. Document for a Decade

The core of the conflict lies in the tension between personal data protection and system accountability. The GDPR is clear: personal data must be erased once its specific processing purpose is fulfilled. This is enforced by the Storage Limitation Principle (Article 5(1)(e)). Retention beyond this defined necessity, even if the data might be useful for future research or system retraining, is deemed a direct violation unless a new, distinct, and lawful purpose is established.

Conversely, the EU AI Act introduces stringent requirements for system traceability, particularly for High-Risk AI Systems (HRAS). Providers of HRAS must maintain comprehensive technical documentation, quality management system records, and conformity declarations for up to 10 years after the system is placed on the market (Article 18, EU AI Act). This requirement applies to system records, ensuring long-term accountability, but does not override the fundamental protection afforded to individuals’ data under the GDPR.

The GDPR Foundation: The “Storage Limitation” Principle 

The entire framework of data retention under EU law rests on the GDPR’s Storage Limitation Principle (Article 5(1)(e)).This foundational rule dictates that personal data must be kept “for no longer than is necessary for the purposes for which the personal data are processed.” This is the core principle driving all retention decisions.

The GDPR does not set generic retention times, instead placing the full burden on the data controller to define, document, and justify a specific deletion timeline for every category of data. If personal data (which is defined broadly to include information beyond PII, like cookie IDs) is used to train a system, the retention clock starts ticking. Organisations leveraging advanced data processing face a critical strategic risk: retaining training data for too long. The GDPR is unambiguous; personal data must be erased once its specific processing purpose. Retention beyond that, even for potential future research, is a direct violation unless a new, distinct, and lawful purpose is established.

Defining the Critical Strategic Risk for GDPR non-compliance

The strategic risk is precisely defined by failing to establish, document, and legally justify a specific deletion timeline for every category of personal data used in the training process. The absence of generic retention times in the GDPR places the full burden of definition and justification squarely upon the data controller. 

This environment forces organizations to confront a critical trade-off: is the unproven, speculative future value of raw personal data worth the risk of fines and potential data breaches? The calculation strongly favors deletion. As, 

• Failing to define and document specific deletion timelines exposes organizations to GDPR violations.
• Retaining data for future retraining or academic purposes is legally indefensible once the initial training purpose is fulfilled.
• Financial penalties for non-compliance can exceed the cost of implementing compliant, minimal-data systems.

The EU AI Act Layer: Traceability and Documentation 

The EU AI Act introduces a layered approach to retention centered on system accountability rather than individual personal data. The rules are tied to the system’s risk profile, with High-Risk AI Systems (HRAS) (EU AI Act, Chapter 3) having the most stringent obligations.

Data Governance (Article 10) for HRAS requires that training, validation, and testing data sets be relevant, representative, and free of errors. While not a direct retention rule, this implicitly requires maintaining data sets for a period necessary for auditing and quality checks during the development phase.

The most critical requirement is Documentation Retention (Article 18): HRAS providers must keep key records (Technical Documentation, Quality Management System, etc.) for 10 years after the system is placed on the market. This 10-year rule applies to documentation and metadata, not the raw personal data itself, which must be deleted sooner under the GDPR. This 10-year period covers documentation, quality records, and conformity declarations. It is vital to understand that this does not override the GDPR’s Storage Limitation Principle (Article 5(1)(e)). 

Raw personal data used for training must still be deleted sooner. However, the requirement for Record-Keeping (Logging) (Article 12) means that systems must automatically record events and usage logs. While these logs should ideally be anonymised, their retention period must be “appropriate” extending the non-personal data record-keeping timeline. This mandates a long-term, non-personal data retention strategy that must be carefully integrated with the strict, short deletion cycles required by the GDPR for raw personal data.

Blending the GDPR and EU AI Act Requirements

The intersection of the GDPR and the EU AI Act necessitates a blended compliance strategy, particularly concerning purpose and identification. The GDPR’s Purpose Limitation principle (Article 5(1)(b)) demands that the purpose for processing, such as system training, be explicitly defined. This definition directly dictates the maximum legal retention period for personal data.

Implementing De-Identification in Your AI Data Retention Strategy under the GDPR and the EU AI Act

The best path for long-term data use is de-identification:

• Pseudonymisation only reduces identifiability; the data remains personal data under the GDPR and the Storage Limitation Principle still applies.
• Anonymisation is the only legal release valve. If the data is permanently and irreversibly stripped of identifiers; it is no longer considered personal data (GDPR Recital 26). Therefore, it can be retained indefinitely.

It’s critical to remember that while the raw personal data must be deleted, the trained system itself (the output) can be retained.

Reconciling the GDPR’s Right to Erasure with the EU AI Act Traceability

The most direct legal challenge is reconciling the GDPR’s Right to Erasure (Article 17) with the ongoing need for system traceability under the AI Act. If a system is trained on personal data, the controller must maintain the technical ability to honor an erasure request.

This is the Purpose Limitation Conflict: if the initial purpose (training) is complete, retaining the raw personal data is a violation of the GDPR. Developers must implement technical solutions like secure deletion protocols immediately after a system is finalised. Using robust, irreversible anonymisation is the only way to retain data sets without triggering the GDPR’s strict retention clock.

When facing overlapping regulations, the GDPR always acts as the primary constraint on personal data. Its Storage Limitation Principle sets the hard ceiling for raw personal data retention. This is regardless of the EU AI Act’s documentation rules.

The crucial legal distinction is that PII and other personal data used to create the system must be subject to rigorous deletion procedures the moment the training purpose ends. The technical documentation, metadata, and system logs (which should contain no personal data) are then subject to the EU AI Act’s extended 10-year retention rules. This hierarchy demands that the deletion process (the GDPR) must happen first, leaving only the audit trail (EU AI Act) behind.

Table: Comparison of differences 

The Financial & Operational Cost of AI Data

Compliance is not just a cost, but a powerful risk mitigator. Storing raw personal data beyond the necessary period is a direct violation of the GDPR’s Storage Limitation Principle. This exposes an organisation to fines of up to 4% of global annual turnover (GDPR Article 83).

Beyond the fines, excessive data retention creates massive operational liability. Longer storage times mean higher infrastructure costs and a larger surface area for security breaches. Every day the data is held, the probability of a costly Data Subject Request (DSR) increases, demanding expensive legal and technical personnel to fulfill. Compliant, timely deletion is ultimately the most financially responsible strategy.

Should you store raw personal data for training?

Organisations often retain raw data for perceived future utility, perhaps for retraining a system. The GDPR forces a hard strategic trade-off: is the speculative future value of that raw personal data worth the immediate, tangible risk of massive fines and data breaches?

The EU AI Act demands auditable records, but these should be built from fully anonymised data or non-personal data metadata. The cost calculation is simple: the threat of financial penalty for retaining personal data too is a much greater risk or potential cost than developing a compliant, data-minimal system. A mature data strategy prioritises de-identification and deletion over retention, significantly reducing the organisation’s regulatory and financial exposure.

Strategic Recommendations

The regulatory landscape governing AI development in the EU is defined by a critical tension:

1. the immediate obligation to protect individual privacy (GDPR) and
2. the extended obligation to ensure system safety and traceability (EU AI Act).

Compliant data management requires recognizing the GDPR’s Storage Limitation Principle as the absolute constraint on personal data retention. This is regardless of the EU AI Act’s documentation timelines. The solution is architectural separation, where raw personal data is subject to automated deletion, and the audit trail is constructed exclusively from non-personal, irreversibly anonymized assets.

TLDR;

• Under the GDPR, personal data must be deleted once its specific purpose is fulfilled. This limits how long raw training data can be stored.
• For AI developers, this means models cannot indefinitely rely on historical raw personal data. This can potentially impact retraining strategies and model evolution.

The post AI Data Retention Strategy under the GDPR and the EU AI Act: Reconciling the Regulatory Clock appeared first on TechGDPR.

The question is evident: how do businesses employ global AI systems and continue to comply with the GDPR cross-border data transfer principles? It is essential to understand the link between AI and personal data and its impact through the legal landscape governing cross-border transfers.

Understanding the AI and the GDPR Landscape

Artificial intelligence systems will typically need to use humongous amounts of data, of which may include personal data. This data is typically obtained from various jurisdictions and processed using cloud platforms, data centers, and development teams in various countries. The worldwide infrastructure complicates the fulfillment of the GDPR since it inhibits the transfer of personal data beyond the European Economic Area (EEA) and United Kingdom.

The GDPR is grounded in fundamental principles of lawfulness, fairness, transparency, limitation of purpose, and data minimization. It also requires accuracy, limitation of storage, integrity, confidentiality, and accountability. These principles should be adhered to by any AI system that involves personal data even when data is transported.

Cross-border data transfers happen when personal data is moved from the EEA to a third country. These are addressed by Chapter V of the GDPR, which dictates the legal frameworks organisations must obey. Since most AI systems are international data processing, virtually all of them are confronted with this regulatory challenge.

Focal Compliance Challenges in Cross-Border AI Projects

There are a few challenges that make it hard to regulate cross-border data in AI:

• Terabytes of information: AI systems read text, images, video, audio, and behavior data in volumes that older compliance procedures find difficult to keep up with. It’s no small challenge to collect, categorize, and safeguard these datasets across borders.
• Pseudonymization risks: So-called anonymized data can in fact facilitate re-identification, particularly when combined with additional datasets. It is important to understand the difference between pseudonymized and anonymized data. 
• Lack of transparency: Most AI systems, especially deep learning-based systems, are “black boxes.” This uninterpretability may hinder the ability of organizations to show compliance with the GDPR, especially purpose limitation and data minimization.
• Shifting rules: Regular updated guidance from national authorities and the European Data Protection Board (EDPB) on AI, transfers abroad, and the way the two interoperate. Just requirements mount with the arrival of legislation such as the EU AI Act.
• Third-party risk: Third-party data suppliers, cloud vendors, and outsourcing data processors are all more likely to be in the AI supply chain. Unless they are properly managed, they bring inherent third-party risk through non-compliance, data loss, or unauthorized transfers.

Legal Frameworks for GDPR-Compliant Cross-Border Transfers

The GDPR provides a range of legal frameworks for cross-border transfers of personal data beyond the EEA, depending on conditions and limitations.

• Adequacy decisions are among them. The European Commission will be in a position to determine that a non-EEA nation ensures “adequate” protection for personal data, and data can flow freely. These decisions have been granted to Japan and Switzerland, and the same has been granted to the United States under the new EU–U.S. Data Privacy Framework. Adequacy decisions are not absolute, however, and can be invalidated, as was the invalidation of Privacy Shield.
• For organizations in countries not issuing an adequacy decision, Standard Contractual Clauses (SCCs) are the most used. Contractual clauses maintain international data transferred from being reduced below EU levels. Organizations must perform Transfer Impact Assessments and introduce additional safeguards since the Schrems II judgment, in order to lawfully use SCCs.

• Binding Corporate Rules (BCRs) is a further possibility for multinationals. They are internal codes of conduct that have to be approved by a data protection authority and are legally enforceable against the corporate group. It is a scalable solution to implement for intragroup data transfers, but it may be time-consuming and costly to obtain the approval.
• The GDPR also has limited derogations for certain situations, including where the individual provides unambiguous consent or where a transfer must be conducted in order for a contract to be formed. Exceptions are few and not to be generalized or bulked.

Practical Steps to Remain Compliant

To effectively administer cross-border data transfers, follow these best practices:

• Map data flows: Determine where personal data comes from, is processed, and travels.
• Perform Data Protection Impact Assessments (DPIAs): DPIAs for riskier AI projects ensure assurance of risk identification in the areas of discrimination, bias, and data protection and transfer risk assessment.
• Improve data governance: Establish policies and roles that ensure accountability to operating, technical, and legal teams.This ensures consistency and accountability when dealing with personal data.
• Enforce security controls: There must also be organizational and technical controls. These include secure development of AI models, access controls, pseudonymization, and encryption. Security audits and penetration tests done on a regular basis can combat threats that can be used in performing cross-border transfers.
• Manage third parties: Secure good data processing terms and ensure all suppliers comply with the GDPR. Any AI supplier or cloud provider dealing with your personal data on your behalf must be subject to rigorous due diligence. This includes negotiating good DPAs and ensuring vendors apply GDPR-level controls.
• Train your staff: Make sure staff is educated about their part to play with regard to AI and international processing of data. A specific incident response plan also needs to be created to handle any AI system-related breaches.

Readiness and Regulation

Regulatory requirements are changing. The EU AI Act and industry-specific guidelines from the EDPB and others will keep transforming what looks like compliance with AI. Leading-edge businesses are already constructing governance structures in accordance with the GDPR and these new rules. Technologies such as data flow mapping automation, real-time risk management, and Transfer Impact Assessments run on a regular basis become typical. Legal, technical, and compliance staff need to interact so that AI ingenuity is converged into regulatory requirements.

Conclusion

Cross-border transmissions of AI data under the GDPR is not impossible, but difficult. With good understanding of the regulatory frameworks, operating on high-risk subjects, and adopting good mitigations, organizations can deploy effective AI technologies in immaculate compliance.

Creating AI responsibly involves creating it legally. Now is the time to audit your cross-border data transfer processes, enhance your governance structure, and embed compliance in all areas of your AI work.

The post GDPR Compliance for AI: Managing Cross-Border Data Transfers appeared first on TechGDPR.

Data subject rights (DSRs) are not optional check boxes. They are legally enforceable rights granted to individuals whose personal data is processed. Businesses must respect data subject rights throughout all stages of AI development, deployment, and ongoing system management. The GDPR grants individuals several rights over their personal data. Let us focus on four of these here:

1. Right to be informed: As with other data protection frameworks, transparency is key under the GDPR. This right takes the form of a duty to inform prior to the processing taking place. Businesses must include information on how they collect, use, store, and share data, the purpose of processing, the legal basis, data retention periods, and who may receive the data. Privacy notices are the typical repositories for this information. They must be concise, accessible, and written in plain language.
2. Right of access: Data subjects can request access to the exact personal data a business holds about them. Businesses must provide information about processing activities, data categories, and any third parties with whom they share the data.
3. Right to rectification: Data subjects can request organizations to correct incorrect or incomplete data without delay. Businesses must respond promptly and update the data across systems and third-party processors where necessary.
4. Right to object, right to be forgotten and right to revoke consent: It allows individuals to exercise control. The European Data Protection Board (EDPB)  published a case digest on right to object and erasure. Data subjects must be able to object to the use of their data and request its erasure when it is no longer necessary, when they withdraw consent, or for purposes like direct marketing.

Incorporating data minimization in AI Systems

One of the most effective ways businesses can respect data subject rights is by adhering to the data protection principle of data minimization. This GDPR principle requires businesses to collect and process only the minimum personal data necessary to achieve their specific purpose. Avoid over-collecting data, use anonymized or synthetic data for training, and regularly review AI outputs to remove unnecessary personal information.

Implement transparent data practices

Transparency is central to building trust and achieving legal compliance. Always define the purpose of processing, specifically the training of AI models. If businesses rely on legitimate interest, they must show that they gave data subjects the chance to object; otherwise, they invalidate their legal basis.

Clearly inform existing customers in advance when using their data to train AI models, and provide opt-out options before processing begins. Transparency is key. 

When there’s no direct relationship with the individual (such as when using publicly available data or from data brokers), the GDPR requires information to be provided within one month of its collection GDPR Articles 14.  

In 2023, the Italian DPA temporarily banned OpenAI’s ChatGPT, citing a lack of transparency around how it used personal data for training. The DPA later required the company to implement clear privacy notices and provide users with ways to exercise their rights.

Respect the right to access 

Can data owners request access to training data? 

This becomes complicated with large language models, but under the GDPR, individuals have the right to know if and how their data is being used.

How to exercise that right? 

Under the GDPR, individuals have the right to know if and how their personal data is used, including data processed by AI systems. While this is straightforward for users with an existing relationship (who can submit data subject access requests via account settings or customer support), it’s more complicated when there’s no direct connection.

In such cases, organizations must ensure proactive transparency by clearly informing people through privacy policies and AI transparency reports. Failure to uphold this right contributes to loss of trust and accountability in AI use and development.

Develop clear processes for data deletion and rectification 

Can data be corrected or deleted after it has been used to train an AI model? 

While difficult, companies must explore the use of data architectures that allow tracing of personal data contributions. The GDPR (Recital 26) considers even pseudonymous data, like randomly generated user IDs, as personal data since organizations can technically link it back to a person, directly or indirectly.

To reduce data subject risk while improving compliance, companies could implement the following measures:

• Data encryption: Businesses should ensure proper security implementation, especially when handling sensitive personal information.
• Anonymization and pseudonymization: Where possible, anonymize or pseudonymize data before using it in AI models. Anonymization and pseudonymization protect personal data by reducing breach risks and limiting the impact on individuals in case of a data exposure.
• Access control: Implement strict access controls and monitoring to ensure only authorized personnel can access personal data. This prevents unauthorized exposure of sensitive information.

By embedding these practices into AI development pipelines, organizations can take meaningful steps toward compliance, trust-building, and ethical AI deployment.

Ensure security and privacy by design

Organizations should build user trust and meet regulations by embedding privacy from the start, not treating it as an afterthought. This is the core of the privacy by design principle under the GDPR.

Key steps include:

• Promoting user choice and control: Provide clear opt-out options before processing data—whether in email campaigns, mobile app popups, or web trackers.). Empower users with privacy dashboards that let them view, manage, and delete their personal data at any time.
• Secure data handling: Businesses must encrypt personal data used in AI training while transmitting and at rest. Implement strict access control mechanisms to ensure that only authorized personnel can interact with sensitive data.

Embedding privacy and security into system architecture from the outset not only ensures compliance, trust-building, and ethical AI deployment.

Maintain ongoing communication and feedback loops

Transparency shouldn’t stop at data collection. When introducing AI processing, update your privacy notices to reflect new processing activities, as required by the GDPR. Use layered notices to highlight AI-specific practices like model training, profiling or automated decision-making. Importantly, inform users before processing, not after. True consent means giving people a real choice. Building feedback loops as user input is essential for improving fairness, spotting issues, and building trust in your AI systems.

Conclusion

As AI continues to shape modern business, respecting data subject rights is not just a legal obligation; it’s a foundation for responsible innovation. By embedding privacy by design, adopting transparent data practices, and enabling user control, organizations can align AI development with GDPR principles and foster long-term trust. Data protection isn’t a compliance checkbox, it’s a strategic imperative for ethical and sustainable AI.

Feel free to reach out to us for any clarification of AI compliance needs.

The post Respecting Data Subject Rights in AI: A Practical Guide for Businesses appeared first on TechGDPR.

Privacy by Design (PbD) is crucial here. We cannot shy away from saying it’s a good idea, but framing it as ‘critical’ is much closer to the mark. Dr. Ann Cavoukian’s developed framework is integral to embedding privacy in AI infrastructures. It is important to understand how AI developers can infuse PdD into reality alongside explaining the reasoning behind the importance of preserving user privacy.

Understanding PbD starts from the foundation of believing that privacy comes when the service is not looking for or pre-configured by users, but instead set as a default feature.

Understanding Privacy by Design: Principles at the Core

Privacy by Design is based upon the notion that privacy should be the natural default and not an optional feature one must find or switch on. Instead of responding to privacy violations, PbD has companies anticipate them and prevent them from occurring in the first place. Its seven design principles are not idealistic goals; they are pragmatic recommendations for integrating ethical data handling at every stage of the design process.

Picture Privacy by Design as building privacy into a cake rather than sprinkling privacy on top as sprinkles. PbD is an innovative approach to building privacy into systems in the first place.

Here are the seven main principles in more detail:

1. Proactive not reactive; preventive not remedial: Anticipate risks before they arise. Don’t wait for a breach to act.
2. Privacy as the default setting: Individuals shouldn’t have to request privacy. It should be automatic.
3. Privacy embedded into design: Build systems that make it impossible to forget privacy because it’s built in, not added later.
4. Full functionality by being positive-sum, not zero-sum: Achieve both privacy and innovation; one shouldn’t come at the expense of the other.
5. End-to-end security and lifecycle protection: Protect data from the moment it’s collected until it’s deleted.
6. Visibility and transparency: Systems must be open to inspection, review, and explanation.
7. Respect for user privacy: Keep the user at the center with simple controls and clear, honest communication.

The Unique Privacy Challenges in AI

AI is different from typical software. Its reliance on enormous collections of data and capacity to infer sensitive material from ostensibly harmless points of data make it highly invasive. Voice, text, image, or behavior-trained models can identify not only user tendencies but mood, political orientation, or state of health as well.

This poses a sequence of privacy threats:

• Over collection: AI is starved for data, and therefore developers overcollect.
• Inferred data: Models have the ability to make truly excellent predictions, often more than what users have expressed in so many words.
• Opacity: Most AI models are “black boxes,” where even the developers aren’t necessarily sure how the decisions are being made.

Ignoring privacy can result in:

• Fines and lawsuits under legislations such as the GDPR, the EU AI Act and the CCPA.
• Loss of customer and user trust.
• PR disasters that bury your brand.

Good privacy is not only good business, but good ethics as well.

Best Practices for Integrating PbD in AI Development

In order to design Privacy by Design properly for AI systems, developers need to be strategic as well as practical. Below are crucial steps to follow:

1. Begin with Privacy Impact Assessments (PIAs): Before creating anything, perform a PIA to discover privacy threats and analyze how your AI system processes information. This way, threats are identified and addressed upfront, instead of once it is deployed. Begin your AI project by questioning: 

• What information is required? 
• What are the threats? 
• How are users safeguarded? 

2. Adopt data minimization and purpose limitation: Collect data only if it’s needed to accomplish a precise, well-defined purpose. This minimizes risk and simplifies handling of privacy obligations. Refrain from the temptation to “collect now, decide later.”
3. Take advantage of privacy-enhancing technologies: Differential privacy adds noise to statistics, preventing data tracing back to individuals. Federated learning learns models on user devices, reducing central data aggregation. These technologies maintain utility while keeping user identities secure.
4. Encourage transparency and explainability: Transparency does not solely involve open-sourcing code but more importantly explaining in simple terms how the system functions, what information is used, and what the model is deciding. Interpretation of models and tools such as model cards can assist.
5. Ensure secure access and data encryption: Both in transit and at rest, data should be encrypted. Controls on access must be strong, restricting access to data by role and need. Regular audits should be performed to ensure compliance.
6. Build ethical oversight: Develop cross-disciplinary review boards consisting of technologists, legal specialists, ethicists, and community members. Such bodies can review projects for privacy, fairness, and unintended effects.
7. Design for user empowerment: Provide users with the ability to see, control, and remove their information. Provide privacy controls that are understandable and accessible. Opt-in is the norm, not sneaky default options or unclear text.

Lessons from the real world

Let’s see who’s doing it right and who didn’t:

• Apple has been a leader in on-device computing and differential privacy. Their health features, for instance, store personal data locally and anonymized.
• Google applies federated learning in its Gboard keyboard to allow for predictive text without ever transmitting what users are typing.
• But Clearview AI and Cambridge Analytica are cautionary tales. They were firms that did not respect user privacy and lost lawsuits, penalties, and long-term public distrust.
  • Clearview AI scraped billions of images without permission and was met with worldwide outrage.
  • Cambridge Analytica harvested Facebook data for political campaigns and sparked worldwide alarm about AI and privacy.

The Trade-Offs and Challenges Ahead

With the best of intentions, it’s hard to implement PbD for AI. There are compromises:

• Data minimization vs. performance: Data about people can restrict how much data you process, which can have an impact on model performance because lower numbers of data points can result in lower-performing models.
• Anonymity vs. fairness: Reducing bias relies on demographic information, which introduces new privacy issues. To be fair, there is often a requirement for data on race or gender, which is sensitive.
• Technical expertise: Federated learning or differential privacy is required to utilize these, which calls for expert know-how as well as computational resources.

These are challenges that are worthwhile overcoming. With privacy as a competitive advantage and a legal requirement, businesses embracing PbD will be far ahead of their competitors for long-term achievement.

What’s coming next?

Regulations are solidifying. The EU AI Act and other initiatives are establishing new norms. Meanwhile, technologies such as homomorphic encryption (so computation can be performed on encrypted information) and synthetic data (which simulates real data without revealing real users) are opening up new paths for privacy-led innovation. These technologies will help AI developers to prioritize how to create systems that safeguard people.

As AI reshapes society, privacy must not be treated as an afterthought. It’s a design choice that reflects an organization’s values, foresight, and respect for its users. Integrating Privacy by Design isn’t just about avoiding penalties; it’s about building systems that are ethical, resilient, and worthy of trust. If you’re building AI, you’re shaping the future. Make it one where people feel safe and respected. By using Privacy by Design, you’re not just avoiding trouble; you’re building trust, improving outcomes, and showing users you’ve got their back.

Every line of code and every product decision is an opportunity to do better. Start now. Make privacy the foundation, not the fix.

The post How to build trustworthy AI from the ground up with Privacy by Design? appeared first on TechGDPR.

So, how does the GDPR relate to AI, and what foundational principles should organizations understand to stay compliant?

Personal data and AI: A complex relationship

At its core, the GDPR is designed to protect personal data: any information that relates to an identified or identifiable individual (Article 4(1), GDPR). AI systems, particularly those using machine learning, thrive on data. Whether it’s customer profiles, behavioural patterns, facial recognition data, or voice recordings, much of the data used in AI training and operations falls under the GDPR’s scope.

Key principles that govern AI under the GDPR

The GDPR outlines several fundamental principles that guide lawful data processing (Article 5, GDPR).
These foundational principles are perhaps the least understood aspects of EU data protection law. When applied to AI, the following principles are especially critical:  

• lawfulness, fairness, and transparency, 
• purpose limitation, 
• data minimization, 
• accuracy, 
• storage limitation, 
• integrity, confidentiality, and accountability

Let’s break down how some of the core GDPR principles affect AI development and deployment.

Lawfulness, fairness, and transparency

AI systems must have a clear legal basis for processing personal data. Organizations must clearly disclose how they collect and use data. This applies to the use of data for model training as much as the use of data in model output or inferences. In addition to the transparency requirement that applies when personal data is submitted to algorithmic decision-making, the GDPR provides for the right not to be subject solely to AI automated decisions. For example, when AI applications make decisions that affect people, such as denying them a loan or job, organizations must ensure individuals understand how the decision was made and provide a recourse mechanism for human intervention

Purpose limitation

Organizations must collect data for specific, explicit, and legitimate purposes. AI systems should not reuse personal data for unrelated tasks without further consent or justification. In AI, this prevents training or deploying models using data gathered for unrelated tasks. Organizations must define purposes clearly and inform users at the time of data collection. Reusing data without consent risks non-compliance with the GDPR. Perform a compatibility assessment before processing the new purpose further. This principle protects user trust and ensures responsible data use.

Data minimization

Organizations should process only the data necessary for the task. This poses a challenge for AI, which often thrives on large datasets. Organizations must carefully assess what data is important and avoid overcollection. This increases risks and may violate data protection regulations. Organizations should perform data audits to identify and eliminate non-essential data. Moreover, organizations can sometimes use synthetic or anonymized data instead of real personal data. Data minimization reduces exposure to breaches and ensures ethical AI development. It’s a key principle for building privacy-preserving and trustworthy AI systems.

Accuracy

AI outputs must be based on accurate data. Poor data quality can result in harmful or biased outcomes, which can violate GDPR and damage trust. Accuracy requires that personal data used in AI systems is correct, complete, and up to date. According to ICO, organizations are obligated to ensure data accuracy and correct errors promptly. Low-quality data can undermine both compliance and credibility of AI systems. Regular data validation, cleansing, and monitoring are essential. Organizations should provide users with ways to challenge or correct inaccurate outputs. Ensuring accuracy builds trust, fairness, and legal defensibility in AI applications.

Storage limitation

Organizations should not keep personal data longer than necessary, which affects how long they can retain and reuse AI training datasets. Organizations must delete or anonymize personal data once they no longer need it for its original purpose. AI training datasets containing personal data must have defined retention periods. Retaining data indefinitely increases privacy and legal risks. Organizations should regularly review data to decide what to archive, delete, or anonymize. Reusing old datasets requires checking if the original legal basis and purpose still apply. Organizations must document and enforce data retention policies. This principle ensures compliance, efficiency, and reduced data exposure.

Integrity, confidentiality and accountability

Security is crucial. Organizations must implement robust technical and organizational measures (e.g., encryption, access control), particularly as AI systems often aggregate and process data across multiple sources, increasing the risk of breaches. Integrity and confidentiality require that personal data is protected against unauthorized access, alteration, or loss. Implementing tools like the Privacy tech directory helps both companies and individuals safeguard personal information and comply with privacy regulations. Security measures should align with the sensitivity and volume of data processed. Regular audits, penetration tests, and employee training strengthen protection. Maintaining integrity, confidentiality, and accountability ensures responsible system use with clear oversight and traceability of actions and decisions. Accountability mechanisms such as logging, monitoring, and clear roles and responsibilities enhance trust, support regulatory compliance, and foster responsible AI deployment.

Automated decision-making and profiling

Article 22 of the GDPR gives individuals the right not to be subject to decisions based solely on automated processing, including profiling, which significantly affects them. This applies to applications such as credit scoring, job application filtering, and predictive policing. Unless exceptions such as  explicit consent or contractual necessity apply, organizations must ensure human oversight and provide meaningful information about the logic involved. 

The challenge of explainability

One of the greatest tensions between AI and the GDPR is explainability. Many AI models, especially deep learning systems, are not easily interpretable. Yet, Recital 71, GDPR emphasizes transparency and the right to understand meaning information on how decisions are made.  Many AI systems operate as “black boxes,” making their decisions hard to interpret. This lack of transparency can undermine user trust and legal compliance. Organizations must adopt Explainable AI (XAI) techniques to clarify how decisions are made. Clear explanations help individuals understand, contest, or seek redress for decisions. XAI supports both ethical AI development and adherence to data protection principles.

Best practices for developing and using GDPR-compliant AI

Organizations can align AI systems with GDPR by conducting Data Protection Impact Assessments (DPIAs), implementing Privacy by Design and by Default (Article 25), maintaining detailed records, ensuring human oversight, and providing clear, accessible privacy notices. Consult with your DPO to ensure your AI technologies comply with any applicable legislation which could potentially include the GDPR, the CCPA, the EU Artificial Intelligence Act, etc. 

International data transfers

If your AI system transfers personal data outside the EU (e.g., to cloud servers in the US), ensure adequate safeguards are in place. Some commonly used safeguards include Standard Contractual Clauses (SCCs)  which are detailed in the GDPR and serve to govern international data flows.

Conclusion

AI holds incredible potential to transform industries and improve lives. However, to align with the GDPR and respect individuals’ rights in the data-driven era, developers and organizations must use AI responsibly. Understanding and embedding GDPR compliance into AI development is a crucial step toward building ethical, transparent, and sustainable technologies. Consult your DPO to ensure AI systems comply with the GDPR and other global privacy laws.

Feel free to reach out to us for any clarification of AI compliance needs.

The post AI and the GDPR: Understanding the Foundations of Compliance appeared first on TechGDPR.

What does this mean around the world?

Countries such as the United States and United Kingdom are increasingly moving towards reliance on these technologies. Countries in the EU are also recording findings of some trial projects related to the use of Facial Recognition Technology. However, as the technology continues evolving and becomes increasingly more widespread, concerns arise in relation to potential consequences of using said technologies. A majority of concerns focus on biases and consequences in relation to law enforcement. In addition, concerns with regard to all individuals’ privacy rights are also at the forefront of the discussion, including: 

• Whether an indiscriminate recording of all individuals captured by cameras is aligned with the principle of data minimization;
• Concerns on the lawfulness and transparency of the use of said technology, as further discussed below; and
• Appropriate processing of special categories of personal data in accordance with legal requirements. 

Both the GDPR and its UK equivalent (the ‘UK-GDPR’) provide for some legal framework setting standards for the use of this technology. However, the departure of the UK from the EU in 2020 means that the two jurisdictions are now implementing entirely different approaches when it comes to the use of Artificial Intelligence. This blog post analyses said differences, and the implications thereof, with a focus on FRTs.

The history of public surveillance systems in the EU and the UK

Looking at the history of implementation of public surveillance systems in the EU and in the UK, sets the stage to highlight the difference in framework that applies to this day. 

Public authorities and private actors have implemented video surveillance as one of the measures to ensure security since the middle of the 20th century. Camera systems such as CCTV have been increasingly appearing in UK cities since the 1950s, and have progressively evolved technologically. As a result, we are now at the point where South London will be installing its first permanent facial recognition cameras.

Similarly, Germany saw its first shift in the usage of cameras for public security reasons in the 1960s.  By the 2000s, the majority of large European cities were deploying CCTV systems.

However, based on this history and according to researchers, the evolution in technical capabilities of CCTV and its respective use in the EU has always lagged behind that of the UK. One of the reasons for this was a lack of constitutional protections for the right of privacy. Meanwhile, EU countries have demonstrably had a stricter approach to privacy even prior to the Data Protection Directive passed in 1995. The EU has implemented further protective measures since, such as the AI Act. 

How does the use of facial recognition change between the EU and the UK?

While both jurisdictions use Facial Recognition Technology with the goal of enhancing public and national security, they differ vastly in how extensively they have applied it in practice.

The main difference is in its application, which is in turn related to the current regulatory differences. In the EU, current deployments of RBI systems are primarily experimental and localised. Examples of case studies include Facial Recognition Cameras at Brussels Airport, Facial Recognition at Hamburg G20, and the DragonFly Project in Hungary. There is currently no example of fully implemented and permanent FRT or RBI systems in the EU.

Additionally, the UK’s implementation of such systems is a current point of discourse across the country. As an example, part of MET police deployment policy for overt implementation of live facial recognition to locate people on a Watchlist is to be able to implement Live Facial Recognition onto “hotspots” for a number of crimes, ranging from theft and drugs to terrorism and human trafficking. 

Additionally, the use has extended to private companies, such as the retail and hospitality sector, to take advantage of the technology to enhance security and prevent theft and revenue loss.

Regulatory similarities

In both the EU and the UK, the GDPR regulates the usage of all data processing technologies, including Facial Recognition Technology. The UK also implemented the regulation at national level with the Data Protection Act 2018. Therefore, a number of legal requirements, and issues of public concern are common for both jurisdictions:

• Data needs to be processed lawfully, fairly and in a transparent manner. Where public interest can be an applicable legal base for public authorities and law enforcement (albeit not without justification). However, private companies are required to jump through more hurdles to justify the necessity and proportionality, and outright lawfulness, of the use of FRTs, typically under legitimate interest;
• Processing of biometric data means that Art. 9 special categories of personal data are being processed, adding an extra layer to the lawfulness argument. Such categories of data can only be processed pursuant to one of the exceptions listed in the Article 9. Again, reliance on substantial public interest could be an option, but not without having to make a balancing exercise, which leads to: the requirement to carry out a Data Protection Impact Assessment in accordance with Art. 35.3, where the usage of said technology arguably meets all 3 criteria;
• Further considerations and concerns include breaches to the principles of purpose and storage limitation, and data minimisation. 

What is the regulatory approach to facial recognition in the EU?

However, in the EU, the newly implemented AI Act regulates the specific usage of real-time remote biometric identification systems in its Article 5. The article outright bans the use of AI systems that create or expand facial recognition databases through the untargeted scraping of facial images from the internet or CCTV footage and the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purposes of law enforcement, although the latter comes with exceptions. These include:

• Search for abducted individuals, and victims of human trafficking and sexual exploitation;
• Prevention of a specific, substantial and imminent threat to life or threat of terrorism; and
• Localisation of a person suspected to have committed a criminal offence listed in Annex 2 of the Act (which does not include property damage, theft and/or burglary). 

Said exceptions, however, must still take into account rights and freedoms of the individuals involved. Additionally, Article 27 of the AI Act require a fundamental rights impact assessment and law enforcement authorities registering the system in the EU database according to Article 49.

How does the regulation framework differ in the UK?

Since its departure from the EU due to Brexit, the regulation of such technologies in the UK is entirely different. There is currently no AI-specific regulation in place. UK Parliament is currently discussing the only related legislation for the usage of such technologies, namely the Data Protection and Digital Information Bill.

Importantly, the draft of this bill demonstrates how the UK’s approach is opposite to that of the EU, possibly leading to less regulation. For example, through the abolishment of the Biometrics and Surveillance Camera Commissioner (BSCC). The underlying argument is that the removal of this office, in a period of fast technological change, will result in the loosening of safeguards designed to raise standards and protect citizens, and may ultimately result in the deployment of technologies that are not in the public interest. 

That is not to say that the use of said technologies will go entirely unchecked. The Information Commissioner Office made a statement about the usage of said technologies and calls for the responsible and lawful use of Facial Recognition Technology, and published guidance on appropriate use of Biometric recognition systems. However, the guidance still relies on mostly GDPR-based principles and rules. It does not add anything new to the conversation on the increased use of FRTs by law enforcement agencies or private companies, which might have legal implications for individuals. Therefore, the status quo remains that in comparison with the EU, the UK remains a regulatory sandbox for the use of such technologies. As a result, concerns arise about the ways this compliance vacuum could be exploited and relevant risk for individuals. 

Looking forward

Despite the technology being substantially more regulated in the EU, there is still criticism on the general use of FRTs, even with the existence of the GDPR and AIA rules in relation to the technologies. The vagueness of the definitions in the AI act, the changes made to the AI Act draft from an outright ban for the technologies to an approach with “exceptions” and the lack of clarity on the implementation of these technologies by private companies outside of law enforcement agencies.

The post Comparing the UK and EU’s framework on facial recognition technology appeared first on TechGDPR.

Enforcement from authorities for violations of rights in relation to children

In recent years, several significant fines have been issued to tech giants over their mishandling of children’s data. Among these are:

2022

• The Dutch Supervisory authority fined TikTok in 2022 for €750,000,. The fine was for violations concerning children’s privacy. The specific concerns were due to the lack of transparency and information only being provided in English; and
• Meta was fined by the UK Information Commissioner Office (ICO) for €405 million in 2022 for setting profiles as public by default. This included children aged 13 to 17. It allowed the same age range to set up “business profiles.” A “business profile” makes their email address and phone number publicly available.

2023

• In 2023 was fined by both UK and Ireland commissioners for £12.7 million and €350 million respectively. The ICO found TikTok guilty of having a vast number of accounts tied to children under 13. Senior employees at TikTok were already aware of this. Additionally, the ICO considered that the measures in place to verify age and ask parental consent were not appropriate. The ICO claimed that information on the processing was not provided in a transparent manner. The Irish Data Protection Commissioner (DPC)’s concern mirrored the concern of the ICO for Meta. It found accounts from minors were publicly available;

• OpenAI also saw a fine in 2023, this time from the Italian authority. The fine was for €15 million, related to, amongst other issues, lack of age verification concerns; and
• In 2023, Meta was under fire again, subject to a €251 million fine from the Irish DPC. The fine followed a data breach that impacted approximately 29 million users including, amongst others, children and their data.

2025

• Most recently in March 2025, articles have come out suggesting a new investigation on TikTok’s practices, meaning that scrutiny over the platform’s handling of children’s data remains ongoing.

Despite these substantial penalties, being some of the highest since the GDPR has taken effect, the effectiveness of these authorities intervening remains questionable. This is due to the lack of visible active changes to the platforms. 

New AI Age Verification Measures: What’s Changing?

In some recent news, however, there have been pledges to make improvements in this sector starting 2025. Both Google, specifically for its Youtube service, and TikTok, suggest that they will be using machine learning in order to help estimate users’ age based on their interactions with the platforms. Meanwhile, Meta deems sufficient that Apple and Google app stores have implemented guardrails which prevent underage users from downloading apps scored above their age range. These proposed measures, whilst a potential improvement from no age assurance at all, still raise questions. One of the most pressing being as to whether this is really the most compliant way forward to avoid further fines related to the use of children’s data.

Flaws in Current Age Verification Methods

The current state of these platforms suggests that their approach to age verification remains flawed. Many still rely on basic verification methods, such as asking users to input their birth date instead of merely ticking a box confirming they are over 13. While this method may encourage slightly greater honesty from children, it remains easily bypassed without additional safeguards.

TikTok has taken a step toward since the fall of 2020 by applying more robust verification. This requires users who wish to go live to be over 18 and confirm their age. This is done through facial age estimation, ID photo submission, or bank account verification. While this is a move in the right direction and aligns with age assurance mechanisms endorsed by Ofcom, it is still limited in scope. It also does not seem to be used when it comes to verifying users’ age in case parental consent is needed.

Parental Controls vs. Platform Responsibility

App stores like Google Play and Apple’s App Store allow parents to set restrictions on their children’s devices. This prevents the download of age-restricted apps. However, this shifts the responsibility onto parents rather than the platforms themselves. Notably, many social media platforms, including Facebook, Instagram, TikTok, and YouTube, are rated as 12+, despite the GDPR’s Article 8 establishing the minimum age for parental consent at 13. This discrepancy allows children to still access these platforms without parental approval.

The Push for Stricter Age Verification Laws

Some countries, like France, are considering following Australia’s example by proposing a complete ban on social media usage for children under 13. However, enforcing such a ban remains a challenge. Without effective age verification mechanisms, prohibiting access becomes difficult. Moreover, some critics argue that such restrictions may be unconstitutional or infringe upon children’s rights.

Research conducted by Ofcom in the UK indicates a rising trend in social media usage among children compared to previous years. While comparable EU-wide statistics are less readily available, it is reasonable to assume that similar trends apply globally. This growing demographic highlights the urgency of implementing effective protections, however, the solutions that have been proposed seem to also come with further risk. Therefore, these promises can be argued to be less geared towards the protection of children’s data, and more so related to avoiding further enforcement actions. 

Is AI Really the Solution?

As mentioned earlier, TikTok and Youtube plan to use machine learning algorithms to infer users’ ages, specifically targeting those who may be under 13. While this approach seems promising, it also introduces compliance risks.

The European Data Protection Board (EDPB) has issued a statement, effective from February 2025. The statement outlines the need for age assurance mechanisms to be effective, secure, and compliant with the GDPR principles. Among the key considerations is the right to avoid automated decision-making. The use of machine learning for age verification must be assessed on a case-by-case basis. It must include appropriate redress mechanisms, including the ability to request human intervention.

Additionally, the statement emphasizes that platforms processing children’s data must fully adhere to GDPR principles. This includes conducting a Data Protection Impact Assessment (DPIA) to evaluate risks and mitigation measures. Given that machine learning is considered high-risk processing and children’s data is inherently more sensitive, platforms must take extra precautions. AI-driven age verification is not outright prohibited. It is crucial that companies deploying such technologies do so with full compliance in mind.

Yoti and Third-Party AI Age Verification Solutions

That is not to say that it is impossible to carry out age verification safely while using AI. One of the providers that has garnered attention by major platforms such as Meta, and OpenAI is UK-based Yoti Ltd.. Yoti is an age verification provider that also makes use of AI when carrying out selfie age-estimation. It provides guarantees that none of the data used for said verification is shared with their controller. Relying on a third party solution, especially one that is based in Europe and may be more aware of GDPR restrictions and subject to more stringent requirements, could help with mitigating some of the risks that have been mentioned so far. 

Meta has provided no news on the use of the provider since 2023, and the result of its use for OpenAI is yet to be seen. Meanwhile, the statements from YouTube and TikTok remain vague on what exactly they mean when they say they will use AI or machine learning. Considering the past violations of the companies proposing these AI-driven solutions, it is fair to question whether they will implement them in a genuinely GDPR-compliant manner. Given the history of non-compliance, skepticism remains warranted. These platforms are looking into compliance from the enforcement point of view, as opposed to focusing on the protection of data subjects. 

Conclusion

Failure to implement effective age assurance mechanisms in line with GDPR’s Article 8 has been a common issue. It has resulted in many of the largest GDPR fines issued to social media platforms over the past three years. Despite this, platforms continue to lag in their efforts to protect children’s data. This continues even as the number of young users continues to grow.

While some governments advocate for stricter bans, platform providers are making promises to implement improved verification methods. The improved verification methods include the use of AI to estimate users’ ages. This concept is not entirely new, TikTok already employs AI-driven age verification for its Live feature. Meta is currently also listed as a client of the UK-based age verification provider Yoti. Notably, Yoti has also been named as the provider required to verify the age of OpenAI’s users. This is a requirement resulting in response to a fine from the Italian DPA. As concerns surrounding AI, machine learning, and data privacy remain pressing, the methodology proposed by large social media platforms remains a cause of concern for the privacy of child users. 

The post AI Age Verification: Big Tech’s Risky Fix for GDPR Violations appeared first on TechGDPR.

What does self-hosting an AI model mean?

To be explicit: if one self hosts AI models, it occurs directly on the hardware they own (i.e. one can run Ollama on their laptop). This control allows for enhanced privacy and security. Arguably, if you host an AI model on your device, there is no need for the data to ever leave your device. Therefore, the risk of data breaches or unauthorized access decreases drastically. If one hosts an AI directly on their device, the data does not need to travel far distance. This means the latency is decreased and one receives a faster response (this aspect of speed is hardware dependent). Latency can best be understood as how much time passes between when a question is asked to an AI model and when a response is received.

Most modern computers can run smaller AI models with no issue, but larger models tend to be more resource intensive. There are many resources available that allow one to examine the free open-source models and the hardware compatibility. The benefits to using an open source model can be greater privacy and transparency. The decreased latency also allows for reduced risks of data breaches and a better level of compliance if processing sensitive data using AI models. 

Why and how to invest in self-hosting AI models?

To run usable AI models, hardware plays a crucial role. Self-hosting AI models require a graphical processing unit (GPU) for optimal performance, as running AI solely on a central processing unit (CPU) leads to slower computations and, as aforementioned, higher latency.

What are the key benefits of self-hosting AI models:

• Improved Performance: GPUs significantly enhance processing speed, allowing AI models to generate responses faster.
• Cost Savings Over Time: While the initial investment in hardware may be high, self-hosting eliminates recurring cloud subscription fees—leading to long-term financial benefits.
• Data Control & Privacy: Self-hosting removes dependence on third-party cloud providers, ensuring full control over sensitive data.
• Regulatory Compliance: Self-hosting reduces the risk of breaches and helps meet strict regulations like the GDPR and the HIPAA.
• Avoids External Policy Changes: Cloud-based AI providers frequently update pricing models, governance rules, and data policies. Self-hosting AI models provide stability and predictability in data management.
• Eliminates Token Costs: Using AI services from major providers (e.g., OpenAI, Google) requires purchasing tokens, making usage costs unpredictable. Self-hosting avoids reliance on fluctuating pricing. As demonstrated in the included chart, these prices are ever fluctuating and the cost of using AI that is not self-hosted is that one is at the whim of the cost dictated by the service provider. 

Fluctuating AI Token Costs

By investing in local AI infrastructure, businesses and individuals regain autonomy over AI processing, ensuring cost efficiency, data privacy, and long-term stability. Investing in the hardware means that one is not at the whims of the service provider for your virtual cloud instance. It allows for complete control over the data and for an eventual decrease in the amount of money self-hosting AI costs. 

How can using self-hosting AI help with regulatory compliance?

Self-hosting AI models is a crucial step toward ensuring compliance with data protection regulations such as the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA), while also reducing reliance on big tech companies. Under Article 9 of the GDPR, sensitive personal data, such as health information, biometric data, and racial or ethnic origin, requires strict protection and cannot be processed without explicit consent or a lawful basis. By self-hosting AI models, organizations retain full control over such data, minimizing the risk of unauthorized access and third-party breaches. 

Studies have shown that developing AI models within institutional boundaries, particularly in healthcare, enhances privacy and regulatory compliance. It allows for more ethical and secure AI deployment. Furthermore, reliance on centralized AI models controlled by major corporations raises concerns about monopolized access to data. This can potentially leading to biased decision-making and limited transparency. Self-hosting AI fosters greater ethical responsibility, ensuring that data governance aligns with user interests rather than corporate agendas.

Case study: Deepseek

In the beginning of 2025, there was a huge shock in the AI sphere with the introduction of DeepSeek R1. DeepSeek, a Chinese startup, was able to create and train an open sourced AI model for a fraction of the cost of its competitors. It is free to download and use. Since DeepSeek is based in China, there were growing concerns about using chat.deepseek.com or the application because of where the data is sent. However, if one is to host DeepSeek R1 the data is not sent anywhere the controller. Running DeepSeek as a self-hosted AI model is a simple and cost-effective way to explore the benefits of self-hosted AI, including privacy, performance, and cost savings.

Why is DeepSeek good for privacy?

But, do self-hosted AI models perform worse?

Short answer: No. A Swiss study showed that using a small local Deep Neural Net (DNN) alongside a remote large-scale AI model can help reduce the prediction cost by half without affecting the system’s accuracy. Essentially in 2022, Chat GPT-3 models cost $0.48 per request. The study worked by putting the input to a local hosted DNN for a response. If the response was trustworthy, the response was not forwarded to the GPT. If the output was not trustworthy, the GPT would need to compute the response. The local DNN was able to generate a correct prediction or response for 48% of the input needed and lost very little accuracy. Self-hosted AI models are able to save money for individuals. This is done by saving tokens and avoiding expensive calls with very little loss in terms of accuracy.

Why should businesses adopt self-hosting AI?

In a world where AI is increasingly intertwined with daily life, the decision to self-host AI models offers a powerful alternative to cloud-based solutions. By self-hosting AI models on personal hardware, one can improve: 

• Data Security: Eliminates external risks by keeping information in-house.
• Regulatory Compliance: Easier to meet industry-specific privacy laws.
• Cost Efficiency: Reduces long-term expenses related to cloud computing and API usage.
• Customization & Flexibility: Empowers users to fine-tune models to their specific needs, ensuring greater transparency and understanding of how AI systems operate.
• Improved Performance: Faster response times and reduced latency lead to better user experiences.

With advancements in open-source models like DeepSeek R1, running self-hosted AI models is more accessible than ever. This allows users to benefit from high-performance models without sacrificing privacy or autonomy. As AI continues to evolve, self-hosting AI models stands as a viable and increasingly necessary choice for those who prioritize control, security, and ethical responsibility in their AI usage.

The post Self-Hosting AI: For Privacy, Compliance, and Cost Efficiency appeared first on TechGDPR.

The EU AI Act 

The EU AI Act is one of the first laws in the world designed to regulate AI, setting rules to ensure AI systems are safe, ethical, and respect human rights. It classifies AI systems into four risk categories — from minimal risk to high risk. The stricter the category, the more oversight and compliance are required. The AI Act also outlines use of AI that is prohibited within the EU. Chapter 2, Act 5 of the EU AI Act prohibits the following uses of AI: 

• Using manipulative techniques to distort behavior and impair informed decision-making, causing significant harm;
• Exploiting vulnerabilities related to age, disability, or socio-economic status to distort behavior, causing significant harm;
• Inferring sensitive attributes (e.g., race, political opinions, sexual orientation) through biometric categorization, except for lawful purposes;
• Social scoring that leads to detrimental treatment based on social behavior or personal traits;
• Assessing criminal risk solely based on profiling or personality traits, unless supporting human assessments based on objective facts;
• Compiling facial recognition databases by scraping images from the internet or CCTV footage;
• Inferring emotions in workplaces or educational institutions, except for medical or safety reasons; and
• ‘Real-time’ remote biometric identification in public spaces for law enforcement, with exceptions for serious cases like missing persons or imminent threats.

There are also special considerations and requirements for the development or use of high risk AI systems, which are classified as such in Chapter 3 of the EU AI Act which could result in the necessity of a risk management system. Risk management systems are frameworks for identifying, mitigating, and managing AI-related risks, especially regarding discrimination and data breaches.

Lastly, the providers of General Purpose AI systems (GPAI) are subject to special requirements under Chapter 5. 

Important Principles for Ethical AI Policies to Address

When developing ethical AI, it is important to emphasize fairness, accountability and transparency. It is not just important in the development of AI systems but the use of AI systems. In essence, ethical AI is about ensuring that as AI technology advances, it does so in a way that respects human dignity, promotes fairness, and fosters trust, ultimately contributing to the well-being of individuals and society as a whole. 

Fairness

The primary objective of a fairness policy is to eliminate algorithmic bias and ensure that AI decision-making processes treat all individuals equitably. An AI policy should include comprehensive protocols such as fairness assessments, regular bias audits, and data diversity requirements during the training phases of AI systems. By mandating AI fairness testing before deployment and continuously monitoring systems for potential biases, organizations can proactively address and mitigate any unfair treatment. For instance, consider the case of Amazon’s AI recruitment tool, which was found to exhibit bias in hiring practices against women; this highlighted the necessity of implementing bias mitigation policies in AI-driven recruitment processes to ensure equitable outcomes.

Accountability

Establishing clear lines of responsibility for AI decision-making is crucial to ensuring human oversight and accountability. An AI policy should address the issue of accountability by defining specific roles and responsibilities within the organization for the oversight of AI systems. This includes establishing audit trails to track decisions and requiring regular reviews of AI outputs to ensure accountability. As Data Officers, TechGDPR can help in the development of these policies. Since the role of Data Officer involves data governance, we can help ensure oversight for your organization to maintain control over AI systems and understand their impact on decision-making processes.

Transparency

Transparency in AI systems is essential for building trust among users and complying with regulatory demands. The principle of transparency is also mentioned in Art.12 GDPR. An AI policy should be transparent and include protocols that mandate the use of explainable AI models, thorough documentation of decision-making processes, and clear disclosures in privacy notices regarding AI-driven data usage. A good AI policy should require organizations to provide stakeholders with comprehensible explanations for AI-driven decisions, ensuring that the operations of AI systems are understandable to both users and regulators. Organizations that adopt explainable AI frameworks such as the OECD Transparency and Explainability Principle, for example, can better maintain transparency and meet regulatory requirements, fostering trust and accountability in their AI applications.

The Role of Data Officers in Ethical AI Policy Creation

Data Officer is a new service provided by TechGDPR in which we can help with AI compliance as well as serving as a Data Protection officer, a role which can be mandated by the GDPR. Instead of having multiple people filling these roles, a Data Officer can understand how to navigate everything for your peace of mind. It is not a traditional role for privacy or AI compliance but this innovative role can alleviate stress for how to navigate multiple regulations including the AI Act as it is so new. 

Conclusion

In conclusion, as AI continues to permeate various industries, ensuring its ethical use is paramount. The EU AI Act lays out new legal requirements for AI systems and multiple frameworks including the OECD emphasizing the need for fairness, accountability, and transparency which can be done through the creation of AI policies. Organizations must not only comply with these regulations but also proactively adopt ethical AI practices to build trust and mitigate risks.

TechGDPR’s Data Officer service offers a comprehensive solution, integrating AI compliance with data protection and privacy governance. By crafting and implementing tailored AI policies, a Data Officer can ensure that your organization’s AI systems are not only legally compliant but also ethically sound, fostering a responsible approach to AI development and usage. As the landscape of AI regulation evolves, partnering with a Data Officer will be crucial in navigating these complexities and maintaining your organization’s commitment to ethical AI.

The post Ethical AI: How Data Officers Craft Policies for Fairness, Accountability, and Transparency appeared first on TechGDPR.