As this week’s AI Action Summit begins in Paris, Gabriela Zanfir-Fortuna explains why data protection laws like the EU’s General Data Protection Regulation are emerging as key tools for regulating AI.
For some, it may have come as a surprise that the first existential legal challenges large language models (LLMs) faced after their market launch were under data protection law, a legal field that looks arcane in the eyes of those enthralled by novel Artificial Intelligence (AI) law, or AI ethics and governance principles. But data protection law was created in the 1960s and 1970s specifically in response to automation, computers and the idea of future “thinking machines”.
The fact that it is now immediately relevant to AI systems, including the most complex ones, is not an unintended consequence. To some extent, the current wave of AI law and governance principles could be seen as the next generation of data protection law. Yet if it is not developed in parallel and if it fails to build coherently on the existing body of data protection laws, practice and thinking, it risks missing the mark.
AI was embedded in the creation of data protection law
One of the architects of the Fair Information Practice Principles (FIPPs), which remain at the core of data protection law, is Arthur Miller, an American law professor. He wrote back in 1971 that it “may not be long before computers are communicating with each other and with their operators in much the same manner as humans communicate among themselves. Indeed, there already are some sophisticated programmes that enable machines to generate ‘conversations’ and to ‘learn’ in the sense of cumulating data and experience”.
Miller observed at that time a “breadth of concern over the dehumanisation of modern society and the animus directed at the computer, whether entirely rational or not”, and wanted to avoid “the possibility of propagating a record-oriented citizenry that has lost its autonomy and individuality”.
In the same volume, The Assault on Privacy, he noted that people must start learning “how to live in a society that treats information as an economically desirable commodity and a source of power”. Miller argued that control of the individual over the information connected to them is paramount, otherwise the individual, in some measure, “becomes subservient of those people and institutions that are able to manipulate it”.
Miller was a member of the Committee assembled by the US Department of Health, Education and Welfare in the early 1970s to explore ways in which the rights of citizens and the well-being of society are affected by computers and automation, and, importantly, to propose measures that will protect them. The Committee included a mix of computer scientists, social scientists, healthcare administration leaders and credit scoring experts, as well as legal scholars.
Other prominent members were Joseph Weizenbaum, the computer scientist who created the first conversational chatbot – ELIZA – and Willis Ware, the Chairman of the Committee and a computer pioneer who co-developed the IAS machine that laid down the blueprint of the modern day computer in the late 20th century.
This Committee authored the influential Records, Computers and the Rights of Citizens report of 1973, which laid down and conceptualised the FIPPs: transparency, access, purpose limitation, accuracy and correction, integrity and security. From the US Privacy Act of 1974 to the OECD Guidelines on Privacy and Transborder Data Flows in 1980, the Council of Europe Convention 108 for the Protection of Individuals with regard to Processing of Personal Data from 1981, to modern data protection laws like the EU General Data Protection Regulation (GDPR), the FIPPs had a significant influence, even as they evolved over time.
During the same early years, this effort in the US was mirrored by similar efforts in Western Europe, with a transatlantic exchange of ideas being noted by Frits Hondius in his 1975 volume Emerging Data Protection in Europe. The German state of Hesse adopted the first data protection law on the continent in 1970, including the creation of the first specialised data protection authority (DPA).
National laws emerged in the following years and decades in Germany, the Netherlands, Denmark, France, the UK and others. Those national laws were harmonised by the European Communities’ Directive 95/46 on data protection in 1995, which was modernised in 2016 by today’s GDPR, a law with unprecedented impact around the world.
Data protection authorities are the most active AI regulators
The Italian data protection authority, the Garante, made headlines around the world in the spring of 2023 when it issued an interim order against OpenAI to stop processing personal data of people in Italy through its ChatGPT service, the first mass-adopted large language model.
At that time, the EU AI Act was still the subject of intense negotiations, being adopted only a year later. The Garante laid out several potential violations of the GDPR in the interim order, including lawfulness, transparency, rights of the “data subject” (the individual whose personal data is concerned), processing personal data of children and data protection by design and by default.
Following the order, OpenAI engaged in consistent cooperation with the Garante to respond to its concerns. After the company committed to making several changes to the service, the Garante removed the interim order a month later. The case was finalised in December 2024 and it resulted in a 15 million euro fine for OpenAI and a request for a six-month communication campaign targeting non-users of ChatGPT.
Among the issues the Garante sanctioned, were insufficient transparency about the personal data being processed, the absence of a legal basis for processing personal data to train the large language model, insufficient means to ensure accuracy of data and the absence of an age verification system at the time the investigation started.
Since that first interim order, other data protection authorities around the world have started similar investigations into ChatGPT or have led their own cases against other commercial applications of AI models, like the Brazilian data protection authority in a case concerning a large language model developed by Meta, or the South Korean data protection authority in a case where it ordered the deletion of a model created by Alipay to estimate the likelihood of payment failure by customers.
In recent weeks, data protection authorities have responded swiftly with requests for information, opening investigations and even a ban against DeepSeek AI, the Chinese large language model upending the global AI market. But even before everything was labelled AI, data protection authorities were active in applying data protection law to machine-learning and similar techniques that amounted to solely automated decision-making (which is specifically regulated by the GDPR in Article 22).
The evolving nature of data protection law allows it to remain relevant in the age of AI
Formally, data protection law is immediately triggered in AI contexts when processing of personal data is involved. Substantially, data protection has meaningful tools to ensure the accountability of AI systems’ providers and deployers, and that the rights of individuals are considered throughout the lifecycle of an AI system.
This includes transparency requirements, principles like fairness, purpose limitation and data minimisation, as well as required security measures, risk assessments (with data protection impact assessments and legitimate interest assessments being the most relevant) and individual rights like access and deletion or correction, among other safeguards.
Recent guidance from the European Data Protection Board or the CNIL (the French data protection authority) shows the GDPR is flexible enough to avoid inhibiting the AI revolution in the EU, while at the same time offering protections to the rights of individuals.
The CNIL, in particular, published recommendations on AI and the GDPR “to support responsible innovation” prior to this week’s AI Action Summit in Paris. It interpreted decades-old principles like “purpose limitation” and “data minimisation” in a way that is adapted to the reality of general-purpose AI (GPAI) systems. For instance, the CNIL allows data controllers to “describe the type of system being developed and illustrate key potential functionalities” when it is not possible to define all potential applications at the training stage to fulfil the “purpose limitation” requirement.
The way in which data protection law regulates AI is meaningful also because it regulates all processing of personal data, not only data underpinning high-risk or unacceptable-risk AI systems. At the same time, it is consequential, and it can be swift – because data protection law is enforced by specialised and independent supervisory authorities that have been granted significant competences and powers over time and which are increasingly operating as part of a global network.
Marvelling in front of the vibrant legislative landscape on data protection in Europe at the beginning of the 1970s, Hondius foresaw in his 1975 book that “there is no doubt that not only computers, but also the law will continue to evolve. Data protection law will perhaps have its generations, like computers”. Perhaps AI specific laws, like the EU AI Act, were in fact meant to be a new generation of data protection law prompted by a new leap in computing. If so, they should be significantly more coordinated with data protection law’s vast history and comprehensiveness.
Note: This article gives the views of the author, not the position of EUROPP – European Politics and Policy or the London School of Economics. Featured image credit: © European Union
