GDPR becomes an AI risk

Companies building or buying artificial intelligence are running into an older European law: the General Data Protection Regulation is becoming an operating risk, not just a legal footnote. (wbn.digital) A WBN analysis published April 18 says many firms still treat GDPR as a regional compliance problem even as AI systems ingest browsing data, device identifiers, cookies and user content that can fall inside the law’s scope. The piece argues the law follows data processing, not a company’s headquarters. (wbn.digital) European regulators have been spelling that out in newer AI guidance. On December 18, 2024, the European Data Protection Board adopted Opinion 28/2024 on personal data in AI models, covering anonymity, the use of legitimate interest as a legal basis, and the consequences when a model is built on unlawfully processed data. (edpb.europa.eu) The practical issue is simple: AI systems reuse data for training, fine-tuning, retrieval and monitoring, so a company can create privacy exposure long after the original collection step. Under European Commission guidance, regulators can issue warnings, bans on processing and fines of up to €20 million or 4% of worldwide annual turnover. (commission.europa.eu) That pressure now sits alongside the European Union’s separate AI Act. The law entered into force on August 1, 2024, and some provisions, including banned practices and AI literacy duties, started applying on February 2, 2025; the broader framework becomes fully applicable on August 2, 2026. (digital-strategy.ec.europa.eu) The AI Act does not replace privacy law. The European Commission says it adds risk-based rules for high-risk systems, transparency duties and obligations for general-purpose AI models, while GDPR still governs personal-data processing underneath those systems. (eur-lex.europa.eu) Enforcement has already reached generative AI. Italy’s privacy authority said OpenAI must pay a €15 million fine and run a six-month information campaign after an investigation that began in March 2023 over ChatGPT’s data handling, legal basis for training data, transparency and age checks. (garanteprivacy.it) That case is still moving through the courts. The Italian authority said its November 2, 2024 order was temporarily removed from its website after a Rome court judgment published March 18, 2026 accepted an opposition to the measure, but the regulator’s statement still lays out the allegations and penalty. (garanteprivacy.it) For companies outside Europe, the warning is less about geography than design. If an AI product touches European users’ personal data, European privacy rules can shape how that product is trained, documented, marketed and trusted. (wbn.digital)