In the digital age, the era of convergence of technological advancements and the realm of artificial intelligence (AI), significant challenges have emerged within the fields of upholding data privacy and cybersecurity. As these challenges mount, the legal landscape is trying to keep up, with legislative attempts and regulatory frameworks around the globe, including the EU organs, aiming to balance the need for safeguarding individual privacy while also fostering innovation.  

Undeniably, the increasing sophistication of generative AI technologies intensifies concerns about the collection of personal data and privacy rights. Generative AI, by its nature, requires massive datasets to train algorithms that can generate realistic outputs such as text, images, and even videos. The data used to train these models often includes personal information that may have been collected without the explicit consent of individuals, raising significant privacy concerns and data breaches. Therefore, such reliance on large datasets volumes, that can even generate personalized recommendations, has intensified concerns about personal data misuse.

What is worrying is that many privacy laws, particularly those enacted prior the advent of AI technologies, were not designed to address the complexities of modern data collection, sharing, and usage. For instance, generative AI models may inadvertently reveal sensitive information that was included in training datasets, or they may create deepfakes that manipulate personal data in harmful ways. ‘Ensuring the successful progression of AI is arguably one of the most critical inquiries in the annals of humankind (Mckinsey & Company, 2024).’  Indeed, AI underscores the need for much stronger data protection laws that can fully address and keep up with the new challenges for safeguarding fundamental rights.  

Truly, such rapid expansion of digital technologies has spurred significant legal and regulatory challenges, with EU aiming to be at the forefront through comprehensive laws and regulations. Particularly, the General Data Protection Regulation (GDPR), enacted in 2018, remains the cornerstone of data privacy law in the EU and one of the most comprehensive data protection frameworks globally. This is why it is worth diving deeper into key provisions of the GDPR legislation. Particularly, Article 15 secures the Right to Access for individuals on their personal data held by organizations, as well as to understand the purposes for which their data is being processed and how it is being used. This enables individuals to gain insight into how AI systems process and generate personal data, ensuring transparency in the use of AI technologies. Further, Article 17 unlocks the Right to Erasure, giving to individuals the ability to request the deletion of their personal data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected, or when they withdraw consent for its processing. This is significant when it comes to generative AI, where personal data used to train models may need to be removed to prevent unauthorized use or dissemination.

As regards the right to Object, Article 21 provides a further safeguard against the overreach of AI technologies that may otherwise use personal data in ways that individuals may find objectionable. Hence, individuals can object in the processing of their personal data for certain purposes, including profiling and automated decision-making, which are common in AI-driven systems. In addition, Article 9 sets out stricter conditions for the regulation of sensitive data, such as health information, biometric data, and racial or ethnic origin. Given that generative AI can involve the processing of sensitive personal data, the GDPR ensures that such data is protected through enhanced safeguards and requirements for explicit consent. Indeed, being applicable to all businesses and organizations that process personal data, the GDPR is designed to safeguard individuals’ rights to privacy and to regulate the processing of personal data.

While the GDPR provides a foundational legal framework for data privacy, the EU has taken a step further through additional legislation to address the unique challenges posed by AI technologies, with the DSA being inevitably a crucial legislative intervention. Characteristically, the Digital Services Act (DSA) enacted in 2022, aims to create a safer and more accountable digital space by establishing rules for online platforms, including social media services, e-commerce websites, and content-sharing platforms. It places greater responsibility on these platforms to prevent harm and ensure transparency, especially in the context of user data. For generative AI, the DSA ensures that platforms hosting AI-generated content are held accountable for harmful or misleading information, including forms of disinformation.

Another promising legislative attempt seems to be the Artificial Intelligence Act (AI Act) which is expected to be finalized by 2026. This Act will hopefully signify evolution, as the principal aim is expected to be the regulation of AI technologies by classifying them according to the level of risk they pose. This includes the introduction of a risk-based approach, stricter requirements for high-risk AI systems, including those that process personal data and allowing individuals to challenge automated AI decisions. This is crucial because the Act promises to be a vital web in upholding transparency and accountability in AI systems, while simultaneously ensuring compliance with all other data protection laws.

All in all, as AI technologies continue to evolve in such rapid pace, the rocky path towards rejoicing innovation while also upholding privacy and security, should be brightened. However, the question remains: Will the legislative attempts keep up with such rapid expansions or will AI dominate our data?  Without taking a pessimistic viewpoint, the evolving EU’s legal landscape seems to be promising comprehensive legal protections and greater data control in the years to come. Ultimately, in such unpredictable digital era, the EU’s legislative efforts gift us the hope that innovation and the protection of our fundamental rights can co-exist.