Regulatory Framework

GDPR and AI

The EU General Data Protection Regulation (GDPR) applies to any AI system that processes the personal data of individuals in the European Union — regardless of where the organisation is based. Given that most enterprise AI tools are trained on or process personal data, GDPR is one of the most widely applicable regulations affecting AI deployment globally.

Who it applies to

GDPR applies to any organisation that processes personal data of individuals in the EU, regardless of where the organisation is established. An Australian company with EU customers, an app with EU users, or a business with EU employees is subject to GDPR when processing their personal data. The regulation has extraterritorial reach by design, and enforcement has been actively exercised against non-EU entities.

Key GDPR obligations for AI systems

Art 5Data minimisation

AI systems must only process personal data that is adequate, relevant, and limited to what is necessary. Training a model on vast datasets of personal information to improve general performance may breach this principle.

Art 6Lawful basis

Every AI system processing personal data must have a lawful basis — consent, contract, legitimate interests, legal obligation, vital interests, or public task. Legitimate interests requires a balancing test the organisation must document.

Art 22Automated decision-making

Individuals have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects — including AI-driven credit, employment, and insurance decisions.

Art 25Privacy by design

Data protection must be built into AI systems from the design stage, not added as an afterthought. This includes technical measures (pseudonymisation, access controls) and organisational measures (policies, training).

Art 35Data Protection Impact Assessment

High-risk AI processing — including systematic profiling, large-scale processing of special categories, or systematic evaluation of public areas — requires a DPIA before deployment.

Art 13/14Transparency

Individuals must be informed when AI is used to make decisions about them, what logic is applied, and what the likely consequences are — in clear, plain language, at the time of data collection.

Article 22: automated decision-making rights

Article 22 is the most AI-specific provision. Individuals have the right not to be subject to a decision based solely on automated processing — including profiling — if that decision produces legal effects or similarly significant effects on them. This applies to AI-driven credit scoring, recruitment filtering, insurance pricing, and benefit eligibility decisions.

Exceptions exist — consent, contractual necessity, or legal authorisation — but they come with conditions: the organisation must implement suitable safeguards including the right to obtain human review, to express a point of view, and to contest the decision. Simply having a human technically involved is not sufficient — the oversight must be meaningful, not a rubber stamp on an automated output.

GDPR and the Australian Privacy Act

Australia's Privacy Act shares many principles with GDPR — transparency, purpose limitation, data minimisation, security — but there are important differences. GDPR has more explicit automated decision-making rights. Australian organisations with EU operations must comply with both. From December 2026, Australia's APP 1.7 introduces an automated decision transparency obligation that brings Australian law closer to — though not identical with — Article 22.

EU AI governance hub Privacy Act and AI in Australia