EDPB Opinion Puts GDPR Principles at the Heart of Responsible AI Development

The European Data Protection Board (EDPB) has weighed in on one of the most pressing issues of our time: how to ensure that AI technology respects privacy while driving innovation. In a newly adopted opinion, the EDPB tackled the thorny questions of when AI models can be considered anonymous, how “legitimate interest” fits into the equation, and what happens if an AI model is built on shaky—if not outright unlawful—data practices.

The opinion, requested by the Irish Data Protection Authority (DPA), reflects the EDPB’s intent to harmonize AI oversight across Europe while navigating the fine line between progress and privacy.

As EDPB Chair Talus put it, “AI technologies may bring many opportunities and benefits to different industries and areas of life. We need to ensure these innovations are done ethically, safely, and in a way that benefits everyone. The EDPB wants to support responsible AI innovation by ensuring personal data are protected and in full respect of the General Data Protection Regulation (GDPR).”

The opinion dives into three pivotal questions that are central to how AI and privacy intersect:

1. When is an AI Model Truly Anonymous? The EDPB makes it clear that anonymity is not a one-size-fits-all label. National data protection authorities (DPAs) will need to assess AI models individually to determine if they qualify as anonymous. To meet the standard, there should be almost no chance that individuals can be identified—directly or indirectly—or that personal data can be extracted from the model. While the opinion lists methods to ensure anonymity, it’s careful not to prescribe a one-size-fits-all approach, recognizing the diverse and evolving nature of AI technology.
2. Can “Legitimate Interest” Justify AI’s Data Appetite? “Legitimate interest” has always been a slippery slope, and the EDPB provides a three-step test to help DPAs decide when it can be used as a legal basis for data processing in AI. Practical examples, like AI-powered customer support tools or systems to bolster cybersecurity, show how these interests might align with individual benefits—so long as the processing is truly necessary and carefully balances rights and risks.
3. What Happens When Data is Processed Illegally? The opinion delivers a firm warning: if personal data is unlawfully processed to train an AI model, that model’s deployment could be on shaky ground—unless the data has been anonymized properly. It’s a stark reminder to developers and companies that cutting corners on compliance can have far-reaching consequences.

Bringing Privacy Expectations into Focus

Beyond these headline issues, the EDPB zooms in on how DPAs can assess individuals’ expectations about their personal data. Factors like whether the data was publicly available, the relationship between the individual and the organization, and the transparency of data use all play a role.

The Board also offers a practical twist: where data processing might overstep individual rights, mitigation strategies—like better transparency or technical safeguards—can help tip the balance back toward compliance.

The EDPB’s opinion underscores the unique challenges posed by AI’s rapid evolution. Rather than attempting to issue one-size-fits-all rules, it offers a flexible framework that DPAs can adapt to each situation.

“The diversity of AI models means there are no easy answers here,” the opinion acknowledges, but it provides tools to help regulators make informed, balanced decisions.

The opinion is just one piece of a larger puzzle. The EDPB is already working on more detailed guidelines to address specific issues, such as web scraping—a common and often controversial practice in AI training. These forthcoming guidelines aim to bring even more clarity to this fast-moving field.

A Steady Hand Amid AI’s Rapid Progress

As AI reshapes industries and daily life, the EDPB’s opinion serves as a thoughtful guide to balancing innovation with responsibility. It’s a timely reminder that respecting privacy isn’t just a legal requirement; it’s the foundation of trustworthy AI. For businesses, regulators, and citizens, this opinion is a clear signal that Europe is committed to leading the way in ethical AI.

In the end, it’s about building technology that works for people, not against them—and the EDPB seems determined to ensure that’s exactly what happens.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.