Skip to main content
TopAIThreats home TOP AI THREATS
Regulatory Concept

GDPR

The EU's General Data Protection Regulation establishing comprehensive rules for personal data processing and storage.

Privacy & Surveillance

Definition

The General Data Protection Regulation (GDPR) is a comprehensive data protection law enacted by the European Union, effective since May 2018. It establishes requirements for the lawful collection, processing, storage, and transfer of personal data, and grants individuals rights including access, rectification, erasure, and objection to automated decision-making. The regulation applies to any organisation processing the personal data of individuals within the EU, regardless of where the organisation is based. Non-compliance can result in fines of up to 4% of global annual turnover. The GDPR has become a foundational reference point in global data protection governance and a benchmark against which AI data practices are evaluated.

How It Relates to AI Threats

The GDPR intersects with AI threats primarily within the Privacy & Surveillance domain. AI systems frequently depend on large-scale personal data collection for training and inference, creating tension with GDPR principles of data minimisation, purpose limitation, and informed consent. Behavioural profiling without consent, a sub-category of privacy threats, directly implicates GDPR provisions. The regulation’s requirements around automated decision-making (Article 22) and the right to explanation are particularly relevant to AI systems that make consequential decisions about individuals. Enforcement actions under the GDPR have addressed AI-related data practices in areas including facial recognition, targeted advertising, and predictive analytics.

Why It Occurs

  • AI systems require large datasets that often include personal information, creating inherent tension with data protection principles
  • The global reach of AI services and data flows complicates jurisdictional enforcement
  • Concepts such as “consent” and “purpose limitation” are difficult to apply to models trained on aggregated data from multiple sources
  • The opacity of deep learning models challenges the GDPR’s transparency and explainability requirements
  • Rapid AI deployment has outpaced the development of compliance frameworks specific to machine learning systems

Real-World Context

GDPR enforcement has produced significant rulings relevant to AI practices. The Italian data protection authority temporarily banned ChatGPT in 2023 over concerns about lawful basis for data processing and age verification, prompting OpenAI to implement compliance measures. The regulation has informed broader global data protection legislation, including frameworks adopted in Brazil, Japan, and multiple other jurisdictions. Within the AI threat landscape, the GDPR provides one of the most developed legal mechanisms for addressing privacy harms arising from AI data collection and automated profiling.

Related Incidents

INC-23-0003 medium 2023-03

Italy Temporary Ban on ChatGPT for GDPR Violations

INC-25-0002 high 2025-01

Italian Data Protection Authority Fines OpenAI EUR 15 Million Over ChatGPT GDPR Violations

Related Threat Patterns

Behavioral Profiling Without Consent Privacy & Surveillance

Related Terms

Data Protection Biometric Data
← Back to Glossary → Taxonomy → All Domains

Last updated: 2026-02-14