Kayli Lewis warns GDPR liability
- Privacy lawyer Kayli Lewis said companies using artificial intelligence vendors still carry General Data Protection Regulation duties when personal data moves through contractors, processors, and sub-processors in production systems. - The legal hook is Article 28 of the GDPR: controllers must choose processors with “sufficient guarantees,” and primary processors stay fully liable if a sub-processor fails its duties. - The warning lands after Ireland’s Data Protection Commission fined TikTok €530 million on May 2, 2025 over China transfers and transparency failures. (dataprotection.ie)
Kayli Lewis’s warning is simple: a company cannot hand personal data to an artificial intelligence vendor and hand away its General Data Protection Regulation liability with it. (edpb.europa.eu) (eur-lex.europa.eu) Under Article 28, a controller must use only processors that provide “sufficient guarantees” on security and compliance before any processing starts. If that processor hires another processor, the chain still has to be documented and governed by contract. (eur-lex.europa.eu) (edpb.europa.eu) The European Data Protection Board sharpened that point in Opinion 22/2024 on October 9, 2024, saying controllers must be able to identify actors in the processing chain and check compliance across processors and sub-processors. (edpb.europa.eu) That matters for artificial intelligence deployments because a single product can involve a model provider, a cloud host, an annotation vendor, a safety filter, and an agent framework passing prompts and outputs between them. If any of those systems handles personal data, the General Data Protection Regulation applies to the chain, not just the front-end app. (microsoft.com) (edpb.europa.eu) Ireland’s Data Protection Commission supplied the enforcement backdrop on May 2, 2025, when it fined TikTok €530 million after finding unlawful transfers of European Economic Area user data to China and transparency breaches. The DPC split the penalty into €485 million for Article 46 transfer violations and €45 million for Article 13 transparency failures. (dataprotection.ie) (edpb.europa.eu) The DPC said TikTok failed to verify and demonstrate that data remotely accessed by staff in China had protection “essentially equivalent” to European Union standards. It also ordered TikTok to bring processing into compliance within six months and suspend transfers to China if it did not. (dataprotection.ie) For teams buying artificial intelligence tools, the practical question is not whether a vendor says it is “GDPR compliant.” The question is which entities process the data, where the data goes, who can access it remotely, and what contracts and audit rights cover each step. (eur-lex.europa.eu) (edpb.europa.eu) Article 28 also says that when a processor uses another processor, the same data protection obligations must flow down by contract. If the sub-processor fails those duties, the initial processor remains fully liable to the controller for that failure. (eur-lex.europa.eu) That leaves companies integrating artificial intelligence with an old compliance job in a new wrapper: map the data, vet the vendors, approve the sub-processors, and keep records that can survive a regulator’s questions. (edpb.europa.eu) (microsoft.com)
