GDPR and Artificial Intelligence – A Conscious Coupling


It is an undeniable fact that Artificial Intelligence (“AI”) has rapidly evolved in recent years and has even more swiftly been integrated in the everyday lives of families and professionals worldwide. The sociotechnical environment of today’s world is a reality and with every passing day AI technology is added to different digital or previously manual functions as part of a cross-industry technological leap. The use of AI technology is seemingly the new normal and is no longer a science fiction work of entertainment. As impressive as the technology’s range of uses and offered benefits are, the use of AI has been a hotly debated subject in relation to its compatibility and coexistence with the General Data Protection Regulation (“GDPR”).

The European Commission has issued a White Paper in February 2020 for the purpose of setting out policy options on how to achieve the uptake of AI, whilst addressing the risks associated with certain uses of this new technology. Following the Commission’s White Paper, an array of commentaries have been published including the European Data Protection Supervisor’s (“EDPS”) opinion on the aforementioned White Paper. Nevertheless, there doesn’t seem to be an automatic and harmonic definitive consensus in relation to the conciliation between the GDPR and AI technology or in relation to the general regulatory framework for AI, without further work, research and policy proposals.

A vital observation by the EDPS is that, the European data protection legal framework is technology-neutral and it does not form an obstacle for the successful adoption of new technologies, in particular AI. On the contrary, it is meant to foster the application of any technology to the processing of personal data while at the same time maintaining respect for European values and fundamental rights in full.

In the GDPR, great attention has been given to the allocation of responsibilities, which are vital in order to enforce privacy protection and implement the GDPR’s intended personal data protections. As previously mentioned, the GDPR is technology-neutral, therefore, the obligations under the GDPR must be met by data controllers and data processors alike, in the context of AI technology when that technology is utilized to process personal data. It remains necessary, therefore, to clearly assign roles and responsibilities when data controllers and data processors are processing data through AI technology. This assignment of roles and responsibilities, however, in practice may be proven to be difficult, since the use of the technology could prove to have blurred certain otherwise straightforward processes and the navigation of who controls and who processes what data, may be a more difficult task than ever before.

In observing and studying AI technology it becomes evident that there are many risks and harms associated with the use of the technology from a data protection perspective, which may on the face of it, be overshadowed by the enormous benefits AI technology has to offer, but they should not be sidelined as they need to be dealt with before the AI technology related EU-wide regulation is officially adopted.

In the EDPS’s opinion paper on the AI-related White Paper of the European Commission, there is a criticism that the White Paper recognizes a wide variety of risks and harms brought about by AI applications specifically, but the measures it suggests would only address a portion of them, namely the category ‘high risk’. This approach according to the EDPS does not reflect the precautionary approach taken by the GDPR since the approach taken in the GDPR is risk-based too, but, crucially, it is layered, whereas the AI White Paper seems to take an “all or nothing” approach. The White Paper’s “all or nothing” approach is that it seemingly proposes that solely high-risk AI applications require specific additional obligations whereas the GDPR operates with the notion that all processing operations of personal data involve risks and the relevant obligations need to be fulfilled at any rate for all processing activities.

The everyday operation of AI technology is seemingly the new normal and all signs point to a further mainstream integration of the technology in our daily lives. The technology is new and as with all new technologies, time, effort and research, both legal and technical, is essential for the proper operation and regulation of the technology. The GDPR is arguably one of the most essential legal tools which will work towards the structuring out of AI technology’s legal framework. The steps toward the right direction have already been taken within the EU community with many commentaries preceding and following the European Commission’s White Paper and along with the legal and technology professionals, a wider societal engagement will undoubtedly work towards a workable and effective EU-wide AI technology regulation which will have a lot of the GDPR in its legal framework DNA.


Article provided by: Constantinos Andronicou (Tassos Papadopoulos & Associates, Cyprus)



Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.