What does GDPR really say about AI?

The language of GDPR is neutral with regard to specific technologies like AI, because its purpose is to ensure the protection of personal data no matter what kind of processing is used.

GDPR applies to all automated processing of personal data, not just to AI

After the introduction to the debate about GDPR’s potential impact on AI in the previous section, it may come as a surprise to learn that the words “artificial intelligence” do not appear anywhere in the GDPR. Nor does the related expression “machine learning.” Indeed, not even the common term “algorithm” is present in the text, despite extensive discussion by legal scholars’ of the GDPR’s limits on “algorithmic decision-making.”


Instead, in the celebrated Article 22, we learn:

“The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”

The GDPR’s concern with “automated processing” is not an innovation in European data protection law. In fact, similar language (though differing in significant respects) appeared in the GDPR’s ancestor law, the EU’s 1995 Data Protection Directive.

Thus the GDPR seeks to regulate not just AI or machine learning, but all decisions with legal or other significant effects on individuals that are based “solely on automated processing” of personal data. This is a much broader category than AI. In fact, it is so broad that it includes most processing of personal data carried out solely by a computer.


We see then that the language of the GDPR was crafted to be neutral with respect to specific technologies such as AI. This should reassure us that the EU has no desire to restrict the use of AI in Europe. Instead, its adoption of GDPR reflects the much more fundamental idea that individuals have the right not to have important decisions made about them by computers alone—that is, not unless they have given their consent, or unless one of a small number of other compelling reasons enumerated by the law justifies such a procedure.

GDPR does not apply to non-personal data

We will look more closely at the questions raised above in the next section. But first let’s consider another crucial fact about GDPR’s impact on AI. Many of the most important AI applications do not process the personal data of individuals at all and are therefore not affected by the GDPR. Examples that come to mind are self-driving cars, machine translation, talking chatbots, analysis of satellite images, and a vast array of AI uses in industry to monitor safety conditions, maintain machinery, or supervise production processes. We present on this page two short videos that illustrate such applications.

View the Microsoft AI YouTube video: Speak Chinese like a local