Skip to main content
TopAIThreats home TOP AI THREATS
Regulatory Concept

Data Protection

Legal and technical frameworks governing collection, processing, and sharing of personal data.

Privacy & Surveillance

Definition

Data protection encompasses the legal, regulatory, and technical frameworks that govern how personal data is collected, stored, processed, shared, and deleted. Key regulatory instruments include the European Union’s General Data Protection Regulation (GDPR), national data privacy laws (such as the UK Data Protection Act 2018 and Brazil’s LGPD), and sector-specific rules in jurisdictions like the United States. Data protection principles typically include lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, and accountability. In the context of AI, data protection frameworks are being tested by systems that process personal data at scale, infer sensitive attributes from non-sensitive inputs, and operate with limited transparency.

How It Relates to AI Threats

Data protection is a foundational regulatory concept within the Privacy & Surveillance domain. AI systems challenge existing data protection frameworks in several ways: behavioural profiling without consent occurs when AI aggregates user data to generate detailed behavioural profiles beyond what users have explicitly agreed to; sensitive attribute inference allows AI models to derive protected characteristics (such as health status, sexual orientation, or political affiliation) from ostensibly non-sensitive data, potentially circumventing consent mechanisms. The opacity of many AI models further complicates data protection compliance, as data subjects may not be able to determine what personal data has been used, how it has been processed, or what inferences have been drawn.

Why It Occurs

  • AI systems process personal data at volumes and speeds that exceed the assumptions underlying existing data protection frameworks
  • Inference capabilities allow AI to derive sensitive information from data that was not itself classified as sensitive at the time of collection
  • Cross-border data flows complicate jurisdictional enforcement of data protection regulations
  • The training of AI models on large datasets often involves personal data for which the original consent scope did not anticipate AI processing
  • Regulatory enforcement capacity has not scaled proportionally with the pace of AI deployment

Real-World Context

The Italian data protection authority’s temporary ban on ChatGPT (INC-23-0003) marked one of the first regulatory enforcement actions directly targeting an AI system on data protection grounds. The Garante per la protezione dei dati personali cited concerns about the lawful basis for processing personal data in model training, the lack of age verification mechanisms, and insufficient transparency about data handling practices. The action prompted OpenAI to implement changes to its data practices and triggered similar regulatory inquiries across multiple European jurisdictions. The case underscored the tension between large-scale AI deployment and established data protection principles, and has contributed to ongoing regulatory development around AI-specific data governance requirements.

Related Incidents

INC-23-0003 medium 2023-03

Italy Temporary Ban on ChatGPT for GDPR Violations

INC-25-0002 high 2025-01

Italian Data Protection Authority Fines OpenAI EUR 15 Million Over ChatGPT GDPR Violations

INC-23-0012 medium 2023-08

Zoom AI Training Terms of Service Controversy

Related Threat Patterns

Behavioral Profiling Without Consent Privacy & Surveillance Sensitive Attribute Inference Privacy & Surveillance

Related Terms

GDPR Biometric Data Data Leakage
← Back to Glossary → Taxonomy → All Domains

Last updated: 2026-02-14