AI is not explicitly mentioned in the GPDR, but many provisions in the GDPR are relevant to AI, and some are indeed challenged by the new ways of processing personal data that are enabled by AI. There is indeed a tension between the traditional data protection principles – purpose limitation, data minimisation, the special treatment of 'sensitive data', the limitation on automated decisions – and the full deployment of the power of AI and big data. The latter entails the collection of vast quantities of data concerning individuals and their social relations and the processing of such data for purposes that were not fully determined at the time of collection. However, there are ways to interpret, apply, and develop the data protection principles that are consistent with the beneficial uses of AI and big data

Data protection in the AI Act

→ Not all AI systems process personal data → only those in the overlap between the AI Act and GDPR must comply with both regulations

→ Being classified as high-risk under the AI Act does not replace or automatically imply GDPR compliance

Recital 10

→ The AI Act should facilitate the effective implementation and enable the exercise of the data subjects’ rights and other remedies guaranteed under Union law on the protection of personal data and of other fundamental rights

• No impact on existing data protection laws: the AI Act does not change or override EU laws on personal data processing
• Obligations for AI providers and deployers: Providers and deployers of AI systems must still comply with data protection laws when processing personal data
• Data subjects’ rights: Individuals maintain all their rights under EU law, including those related to adm and profiling
• Supporting the exercise of rights: The AI Act helps ensure individuals can effectively exercise their data protection rights and seek remedies

Recital 63

• Classification as high-risk does not automatically make AI use lawful under Union or national law
• Data protection laws (like GDPR) still apply independently
• The AI Act is not a legal basis for processing personal data unless explicitly stated

Common Vocabulary

Data Minimisation

• Core principle: Data should be adequate, relevant, and limited to what’s necessary for the processing purpose.
• Challenge in AI/ML:
  • Machine learning often seeks more data for better performance ("data maximisation").
  • Data that seems irrelevant now may become useful later when combined with other datasets.
  • It’s hard to define and enforce "minimal data" in practice due to these uncertainties

Accuracy

• Core principle: Personal data must be accurate and kept up to date.