Many business decision makers are already thinking about or have implemented Artificial Intelligence (AI) into their day-to-day business operations.  This seismic shift in technical capability comes with some challenges and must be done in accordance with a range of legal requirements relating to the protection of data, specifically personal data.

What are the legal requirements?

1. General Data Protection Regulation (GDPR) – Europe

The GDPR (EU regulation) has strict rules on how AI processes personal data. Key requirements include:

Lawful Basis for Processing (Article 6)

• AI systems must have a lawful basis (e.g., consent, legitimate interest, legal obligation) before processing personal data.

Data Subject Rights (Articles 12-22)

• Individuals have rights such as:

  • Right to be informed (explainable AI)

  • Right to access data

  • Right to rectification

  • Right to erasure (right to be forgotten)

  • Right to object to automated decision-making (AI-based decisions must have human oversight)

Automated Decision-Making & Profiling (Article 22)

• If an AI system makes fully automated decisions with legal effects, individuals must have:

  • The right to contest decisions

  • Human intervention in critical cases

  • Transparency on how the decision was made

Privacy by Design & Default (Article 25)

• AI systems must incorporate data protection measures from the start (e.g., data minimization, encryption).

Data Protection Impact Assessment (DPIA) (Article 35)

• If AI processing poses high risks to individuals (e.g., biometric recognition), organizations must conduct a DPIA.

Cross-Border Data Transfers (Articles 44-50)

• AI systems processing data outside the EU must comply with international transfer rules (e.g., Standard Contractual Clauses, adequacy decisions).

2. Artificial Intelligence Act (EU AI Act) – Europe

The EU AI Act (expected enforcement in 2025) introduces risk-based AI regulation:

• Unacceptable risk AI (banned): e.g., real-time biometric surveillance, social scoring.

• High-risk AI (strict requirements): e.g., healthcare, banking, critical infrastructure.

• Limited-risk AI (transparency obligations): e.g., AI chatbots.

• Minimal-risk AI (no restrictions): e.g., AI-powered video games.

If an AI system processes personal data, it must comply with both the EU AI Act and GDPR.

3. California Consumer Privacy Act (CCPA) & CPRA – USA

The CCPA (2018) & CPRA (2023) set AI-related data protection rules for companies handling California residents’ data:

• Right to opt-out of automated decision-making

• Right to know if AI is making decisions about them

• Right to correct and delete personal data

• Stronger consent requirements for sensitive data (e.g., biometric data)

4. UK GDPR & AI Regulation

• UK GDPR aligns with EU GDPR but allows more flexibility in AI innovation.

• The UK is developing its own AI regulations, focusing on accountability, fairness, and explainability in AI systems. Note – Visit the Information Commissioners Office Website for more information.

5. China’s Personal Information Protection Law (PIPL)

• Similar to GDPR, but stricter on data localization (AI using Chinese citizens’ data must store it in China).

• Requires explicit consent for AI-based decisions.

• Prohibits unfair AI discrimination.