In an era defined by rapid technological advancement, Europe finds itself at the epicentre of a critical debate: how to protect fundamental rights while fostering the innovation that drives our digital society? The European Data Protection Board (EDPB), poised to issue its latest Opinion under Article 64(2) GDPR on the appropriate legal basis for AI model training, has a unique opportunity to reaffirm the GDPR as a future-proof, enabling framework that fosters both innovation and data protection.
The General Data Protection Regulation (GDPR), which inspired a wave of data protection laws around the world, is now at a crossroads.
This is far more than a question of legal interpretation — it is a test of Europe’s leadership in the digital age, and the stakes are high. As the Draghi report reminded us, at the core of this endeavor is the need to enable AI technology’s transformative potential, to contribute to European productivity and competitiveness and, at the same time, safeguard a high standard of data protection for millions of Europeans.
A Future-Proof GDPR
The GDPR was crafted as a principle-based, technology-neutral, forward-looking regulation designed with the foresight that the digital landscape would evolve in ways that may be difficult to predict. This vision reflects a fundamental understanding: innovation and privacy are not incompatible but actually thrive together when supported by a robust and flexible regulatory framework.
A compelling example of this adaptability is blockchain technology. In its early days, debates centered on whether distributed ledgers, with their immutable and decentralised nature, could align with GDPR’s requirements, such as data minimisation and the right to erasure. A combination of progressive regulatory guidance and technological ingenuity ensured GDPR did not act as an inhibitor of this technology. Innovation does not have to come at the expense of data protection.
Equally, the Court of Justice of the European Union (CJEU) has previously addressed challenges in adapting data protection principles to novel technologies. In the Google Spain ruling, the Court addressed the lawful use of web-sourced data, including the use of legitimate interest as a legal basis for data processing. Similarly, in GC and Others v. CNIL, the Court creatively addressed the incidental collection of sensitive data in the context of search and web data. Such a ruling demonstrates the GDPR’s capacity to uphold its core objectives while navigating the complexities of a rapidly evolving digital landscape.
At the heart of the GDPR is its risk-based approach – a principle that ensures compliance measures are proportionate to the potential harm posed by specific data processing activities. The continued success of the GDPR as a future-proof regulation hinges on this adaptability and on an adaptable interpretation of its core principles. Its ability to evolve alongside technological advancements while protecting individual rights is essential for maintaining trust in an ever-changing digital world.
The Data Dilemma: Training AI Responsibly
The transformative technology of AI is deeply reliant on data. Training AI models often depends on access to large datasets, where the quality, quantity and diversity of the data involved contribute to proper model functioning. This may create tension with existing data protection principles, such as purpose limitation, transparency, data minimisation, use of sensitive or special categories of data, and the ability for individuals to exercise their rights, such as through access and erasure requests. To address these tensions, the EU must adopt pragmatic, proportionate and risk-based interpretations of its laws, particularly the GDPR. This is the only way to enable responsible AI development.
In the context of AI model training and development, the legitimate interest legal basis emerges as the most appropriate foundation for processing personal data, whether the organisation’s own or publicly sourced data. While other legal basis may have a role to play in a particular case, legitimate interest is specifically designed to provide a flexible framework that supports responsible data processing and adaptation to rapid technological advancements. It also delivers effective accountability in practice, shifting the onus from individuals to organisations to ensure lawful and fair processing. When relying on legitimate interest, organisations must weigh the benefits of data processing and the risks of harm to individuals and their fundamental rights. Where risks are identified, organisations are required to implement measures to mitigate the risks, increasing the safeguards and the level of protection that would have otherwise existed. This process ensures transparency, fairness and trust in how data is handled, fostering confidence in its responsible use. It seeks to maximise both the societal benefits of innovation and the protection of individual rights. Organisations are able to develop generative AI models responsibly, provided that their legitimate interests are not outweighed by the rights and freedoms of individuals.
Similarly, principles like data minimisation should be applied proportionately and in a risk-based way. While limiting unnecessary data collection is essential, the EU must recognise that high-quality AI models often require large and diverse datasets. Rather than restricting data volume outright, organisations should be made to focus on minimising risks through anonymisation, filtering, and privacy-enhancing technologies (PETs).
Addressing Sensitive Data: Optimising Fairness and Privacy
The use of sensitive personal data presents critical tension in AI model development. Such data can be essential for reducing bias and ensuring fairness in AI models, particularly in applications like hiring or credit scoring. Equally, some AI models will have to be trained on sensitive personal data where the desired purpose is the development of an AI-based application to address vulnerable groups or to be used in the health field. Yet, GDPR heavily restricts the processing of sensitive data beyond very narrow use cases, none of which address the realities of AI adequately.
The EU’s Artificial Intelligence Act offers a potential blueprint by permitting the use of sensitive data for bias mitigation in high-risk AI systems under strict conditions. However, a gap remains for lower-risk systems, where sensitive data could still be critical for ensuring fairness, as well as broader use of sensitive data in specialist AI applications. Closing this gap will require a thoughtful policy that encourages fairness while safeguarding individual rights.
The Economic Imperative of Innovation
Innovation is not a zero-sum game. Emerging technologies such as AI or the Internet of Things hold immense potential to drive economic growth, improve public services, and tackle global challenges like climate change and healthcare shortages. AI-powered tools are transforming industries from healthcare, disease prevention, disaster response management and epidemic control to e-commerce and urban planning. The 2024 Nobel Peace Prize winners for chemistry were John Jumper and Demis Hassabis at Google DeepMind for developing AlphaFold, an AI tool which de-codes and maps protein structures. Once considered impossible, this discovery is a major revolution in science and was only possible through the use of AI.
Similarly, in the energy sector, AI-driven technologies are contributing to a reduction in carbon emissions by enabling smarter grids, increasing the energy efficiency in buildings and decreasing our carbon footprints. Such innovations rely on personal data, such as satellite imagery, individual energy consumption data and travel data. These innovations align with Europe’s broader goals, such as those outlined in the European Green Deal.
Data protection as a fundamental right should not be put on a collision course with other fundamental rights, such as right to health, life, economic activity, freedom of expression, safety. AI can play a role in enabling all these rights and be a driver for economic growth, societal innovation, and strategic sovereignty in Europe.
However, realising these broad benefits requires a regulatory framework, interpretation and supervision that is risk-based, encourages both experimentation and investment in technologies, rejects overly precautionary principles and includes the consideration of benefits and loss of opportunity as well as the risk.
A Call for Pragmatism
As the EDPB finalises its Opinion, the path forward is clear: the GDPR must uphold its core principles of accountability, proportionality, and transparency while adapting to the dynamic realities of a rapidly evolving digital landscape.
To ensure Europe remains competitive, European businesses and entrepreneurs need a clear signal: the GDPR is not an obstacle to technological advancement but a framework that fosters responsible innovation. Evolving the interpretation of GDPR’s principles in a proportionate, risk-based and outcomes-based way can unlock AI’s full potential, enabling the EU to lead on the global stage while safeguarding citizens’ rights. Europe is in need of a digital single market in data, that reflects Europe’s peoples, languages and the diversity of our continent as sine qua non for the development and adoption of trusted AI technologies in Europe.
This is about more than just regulatory compliance; it is a test of Europe’s capacity to lead in the digital age.
By the Centre for Information Policy Leadership.
