AI at Risk in the EU: It's Not Regulation, It's Implementation ...
The implementation of the General Data Protection Regulation (GDPR) in the EU, rather than the regulation itself, is holding back technological innovation. The EU’s data protection governance architecture is complex, leading to contradictory interpretations among Member States. This situation is prompting companies of all kinds to halt the deployment of transformative projects in the EU.
The case of Meta is paradigmatic: both the UK and the EU broadly have the same regulation (GDPR), but the UK swiftly determined that Meta could train its generative AI model using first-party public data under the legal basis of legitimate interest, while in the EU, the European Data Protection Board (EDPB) took months to issue an Opinion that national authorities must still interpret and implement individually, leading to legal uncertainty.
Fragmented Enforcement Landscape
Similarly, the case of Deepseek has demonstrated how some national data protection authorities, such as the Italian Garante, have moved to ban the AI model outright, while others have opted for investigations. This fragmented enforcement landscape exacerbates regulatory uncertainty and hampers EU’s competitiveness, particularly for startups, which lack the resources to navigate an unpredictable compliance framework.
Strengthening the EDPB’s Role
For the EU to remain competitive in the global AI race, strengthening the EDPB’s role is essential. The recent adoption of the pioneering Artificial Intelligence (AI) Regulation in the European Union (EU) has prompted volumes of written analysis. Some argue that heavy-handed technology regulations might hinder innovation.
While many of the recent innovations in AI are taking place outside the EU, it is critical that the EU does not remain on the sidelines of their implementation. The EU does not need to spearhead every technological innovation to exert global influence, but European companies in the EU should stay on top of these innovations and consider their application in order to remain competitive.
The Impact of GDPR
Unfortunately, the EU’s implementation of the General Data Protection Regulation (GDPR) may leave EU companies on the sidelines when it comes to implementing advances in the field of AI. As will be explained below, it is not so much the regulation itself, the GDPR, but its interpretation and implementation by EU authorities.
Data for AI Models
AI systems are at the forefront of technological advancement, with generative AI leading the way in diverse applications, from natural language processing to image generation. However, the efficacy and functionality of AI systems heavily depend on the quality and volume of data used during their training.
:max_bytes(150000):strip_icc()/general-data-protection-regulation-gdpr.asp-final-1b12e02aa4d149b9af4fcd8aec409a89.png)
Understanding the categorisation of data and its implications is essential to appreciate the transformative potential of AI technologies. Moreover, the debate between open-source and closed-source models adds another layer of complexity to the discussion, as it influences how data can be utilised and innovation fostered.
Categories of DataThe types of data used for training AI models are diverse and extensive. For the purposes of this article, a conceptual framework is proposed that distinguishes three categories: personal and non-personal data, public and private data, and first-party and third-party data. This classification is intended to provide a structured approach to discussing the implication of data use in AI development.
Personal Data: is data that relates to an identified or identifiable natural person. This includes any information that can be linked to a specific individual, either directly or indirectly.
Non-Personal Data: is data that cannot be used to identify a specific individual. It can be aggregated, anonymised or simply does not contain information that can be traced back to an individual.
Public Data: are accessible to anyone without restrictions, as they are either published in official sources or are simply open to the general public.
Private Data: are data to which only authorised individuals or organisations have access.
First-Party Data: is data collected directly by a company or entity from its own users or customers.
Third-Party Data: is data collected by an external entity, not directly from the users or customers with whom an organisation interacts.
Open Source vs. Closed Source Models
AI models can be open source or closed source. In open source models, anyone can access the source code and components of the model, study it, modify it, improve it or use it for specific purposes without restrictions, as long as the terms of the relevant licence are met.
In closed source models, the source code is not publicly available and is controlled by the organisation or company that developed it.
GDPR and Data Processing for AI Models
As noted above, the GDPR is the EU’s General Data Protection Regulation. Among its provisions, it includes conditions for the use of personal data. Specifically, as per Article 6(1), the processing of personal data is only permitted in certain situations. For the purposes of processing personal data for AI models, consent and legitimate interest are the two relevant grounds that balance innovation with individual rights.
