By Ramón Villot Sánchez, Legal & Compliance Director
Between the strength of a pioneering regulatory framework and criticisms of excessive bureaucracy
The regulation of data protection and its interaction with artificial intelligence (AI) has become one of the greatest legal challenges of our time. The European Union, through the General Data Protection Regulation (GDPR), has laid the foundations for a demanding legal framework, imposing strict obligations on organizations that develop or use AI-based technologies.
GDPR and the principle of “privacy by design”
One of the cornerstones of the GDPR is the “privacy by design” principle, which requires that the protection of personal data be integrated from the earliest stages of any technological system’s design. This means data processing must always be carried out with the explicit consent of the data subject and under strict security measures. Non-compliance is no minor issue: penalties can reach up to 4% of a company’s global annual revenue.
The EU Artificial Intelligence Act: control and innovation
As of August 1, 2024, the new EU Artificial Intelligence Act has come into force with a clear goal: to ensure that AI systems operate ethically, reliably, and securely. The regulation adopts a risk-based approach, classifying AI applications by their potential impact and establishing differentiated requirements for each category. The challenge is ambitious: to protect fundamental rights without hindering technological innovation.
The view of the European Data Protection Board (EDPB)
The European Data Protection Board has issued a key opinion addressing the main challenges of processing personal data in the AI context, focusing on three critical areas:
- Data anonymization: while many AI models claim to process data anonymously, the EDPB clarifies that data can only be considered truly anonymous if the risk of re-identification is insignificant.
- Legitimate interest as a legal basis: invoking legitimate interest to justify data processing in AI requires careful assessment, balancing this interest against fundamental rights such as privacy, freedom of expression, and non-discrimination.
- Lawfulness of data used: when training an AI model involves data obtained without consent or of questionable origin, the EDPB recommends applying anonymization techniques from the outset to minimize legal risks.
Real challenges, responsible solutions
Organizations that fail to properly manage AI-related risks may face serious legal consequences—especially when engaging in practices like web scraping or purchasing unverified data sets. At the same time, European authorities must strike a balance between protecting citizens’ rights and fostering an environment that supports technological development.
In this context, simplifying the regulatory framework without compromising safeguards will be essential. The evolution of AI poses challenges that cannot be solved through rigid regulation, but rather through dynamic legal frameworks that promote transparency, accountability, and technological education.
AI and Privacy: Moving Forward Without Compromising Rights
The relationship between artificial intelligence and data protection requires a comprehensive approach: we must ensure people’s security and privacy without halting progress. The answer lies not in excessive regulation, but in encouraging responsible self-regulation, ethical compliance, and active collaboration among lawmakers, companies, and civil society. Only then can we unlock the full potential of AI while building a solid foundation of trust and respect for fundamental rights.
