Proposed GDPR changes target AI development

Bias detection rules could extend beyond high risk systems.
EU proposes clearer GDPR rules for AI development.

The European Commission has proposed changes to the GDPR and the EU AI Act as part of its Digital Omnibus Package, seeking to clarify how personal data may be processed for AI development and operation across the EU.

A new provision would recognise AI development and operation as a potential legitimate interest under the GDPR, subject to necessity and a balancing test. Controllers in the EU would still need to demonstrate safeguards, including data minimisation, transparency and an unconditional right to object.

The package also introduces a proposed legal ground for processing sensitive data in AI systems where removal is not feasible without disproportionate effort. Claims that strict conditions would apply, requiring technical protections and documentation throughout the lifecycle of AI models in the EU.

Further amendments would permit biometric data processing for identity verification under defined conditions and expand the rules allowing sensitive data to be used for bias detection beyond high-risk AI systems.

Overall, the proposals aim to provide greater legal certainty without overturning existing data protection principles. The EU lawmakers and supervisory authorities continue to debate the proposals before any final adoption.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot