GDPR

GDPR (General Data Protection Regulation) took effect in 2018 and applies to any organization anywhere in the world that processes personal data of EU residents. For AI, GDPR affects training data (can the model be trained on scraped EU PII?), inference (can the prompt contain PII that triggers a data transfer?), and logging (how long are prompts retained?). Fines reach €20M or 4% of global revenue, whichever is higher. Providers address GDPR via EU data residency, DPAs, SCCs, and explicit consent flows.

GDPR rests on six lawful bases for processing (consent, contract, legal obligation, vital interests, public task, legitimate interests). Personal data includes anything that can identify a person · names, emails, IP addresses, biometric data, and sometimes prompt content. Key rights: access, rectification, erasure ("right to be forgotten"), portability, and objection. Cross-border transfers require Standard Contractual Clauses (SCCs) or adequacy decisions. The EU-US Data Privacy Framework (2023) re-enabled US transfers after Schrems II invalidated Privacy Shield. Frontier AI labs (OpenAI, Anthropic, Google, Mistral) all publish GDPR-aligned DPAs. Mistral defaults to EU data residency as a competitive positioning.

GDPR Articles 5-11 define the core principles and lawful bases. Article 22 is critical for AI: it grants data subjects the right not to be subject to solely automated decision-making with legal or similarly significant effects. Articles 44-50 cover international transfers · post-Schrems II, SCCs require a transfer impact assessment (TIA). The right to erasure (Article 17) is particularly thorny for AI training · once a model is trained on personal data, "unlearning" without full retraining is unsolved. DPIAs (Data Protection Impact Assessments, Article 35) are required for high-risk AI use cases.