AI's Appetite vs. Individual Rights: Finding a Lawful Basis for Training Data Under GDPR

Apr 20, 2025

Introduction

The rise of powerful Artificial Intelligence, exemplified by models like OpenAI's GPT-4 and the newer, highly capable GPT-4o, is transforming industries. These marvels of engineering rely on incredibly vast datasets for their training, enabling them to generate human-like text, translate languages, create content, and even interact through voice and vision. However, this reliance on massive amounts of data, often scraped from the public internet, runs headlong into the stringent requirements of the EU's General Data Protection Regulation (GDPR). A critical question arises: What is the lawful basis for processing the potentially vast amounts of personal data contained within these training sets? This post delves into the complexities of establishing GDPR compliance, specifically regarding the lawful basis for AI training data.

The GDPR Mandate: Lawfulness, Fairness, and Transparency

At the heart of GDPR lies the principle that all processing of personal data must be lawful, fair, and transparent (Article 5(1)(a)). Article 6 of the GDPR explicitly states that processing is only lawful if at least one of the following bases applies:

  1. Consent: The individual has given clear consent for a specific purpose.

  2. Contract: Processing is necessary for the performance of a contract.

  3. Legal Obligation: Processing is necessary to comply with the law.

  4. Vital Interests: Processing is necessary to protect someone’s life.

  5. Public Task: Processing is necessary for1 performing a task in the public interest.

  6. Legitimate Interests: Processing is necessary for the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject.

The AI Training Data Dilemma: Consent vs. Legitimate Interests

Training models like those in the GPT series often involves processing petabytes of text and image data harvested from the web. This data inevitably includes personal information – names, opinions, posts, pictures, and more.

  • Consent (Article 6(1)(a)): Obtaining explicit, informed consent from every individual whose data might be included in such a vast, often historical, dataset is practically impossible. The scale and the method of collection (web scraping) make individual consent management unfeasible for the initial training phase of many foundational models.

  • Legitimate Interests (Article 6(1)(f)): This often becomes the default consideration. AI developers might argue they have a legitimate interest in innovation, developing beneficial technologies, and competing globally. However, relying on legitimate interests requires a careful balancing act, known as the Legitimate Interests Assessment (LIA):

    • Identify the legitimate interest: Is AI development a valid interest? (Generally, yes).

    • Necessity: Is processing this specific personal data strictly necessary to achieve that interest? Could anonymized or synthetic data suffice?

    • Balancing Test: Do the organization's interests outweigh the individuals' fundamental rights and freedoms (including their right to privacy)? This is the most contentious part. Individuals whose data is scraped are often unaware, cannot easily object, and the potential impact of their data being embedded in a global AI model is significant.

Recent Developments and the GPT Context

The tension between GDPR and AI training data is not theoretical. Regulators are actively scrutinizing these practices.

  • Regulatory Scrutiny: European Data Protection Authorities (DPAs), like Italy's Garante (which temporarily banned ChatGPT in 2023 over privacy concerns, including the lack of legal basis for training data), and the European Data Protection Board (EDPB) establishing a dedicated task force, highlight the regulatory focus. While specific outcomes of investigations are often confidential or ongoing, the direction is clear: justifications are needed.

  • OpenAI's Position: OpenAI has acknowledged using publicly available internet data but has also stated efforts towards filtering personal information and respecting opt-outs (like via robots.txt). However, the effectiveness and GDPR compliance of these measures, especially concerning data already processed, remain subjects of debate and potential legal challenges (e.g., complaints filed by privacy advocacy groups like NOYB).

  • GPT-4o and Beyond: The introduction of models like GPT-4o, with enhanced capabilities including real-time voice and vision processing, potentially broadens the scope of personal data these systems interact with during use. While this draft focuses on training data, the underlying principles of lawful basis also apply to data processed during inference/operation, adding layers to the compliance challenge.

Analysis: The Uncomfortable Fit

Applying GDPR's lawful basis framework, designed before the advent of such large-scale generative AI, to current AI training practices reveals an uncomfortable fit.

  • Retroactive Compliance: Establishing a lawful basis retrospectively for data collected years ago via web scraping is highly problematic.

  • Transparency Failure: The lack of transparency inherent in using web-scraped data means individuals are often unaware their data was used, undermining the fairness principle.

  • Risk Assessment: Organizations developing or deploying AI trained on potentially non-compliant data face significant risks, including hefty GDPR fines (up to 4% of global annual turnover), legal action, and reputational damage.

Looking Ahead: Towards Responsible AI Training

The path forward requires a multi-faceted approach. While regulatory guidance evolves (including interactions with the upcoming EU AI Act), organizations must proactively address these challenges:

  • Prioritizing Privacy-Preserving Techniques: Exploring increased use of truly anonymized datasets, synthetic data generation, and federated learning where possible.

  • Enhanced Transparency: Being clearer about data sources and processing activities involved in training.

  • Robust Data Governance: Implementing strong internal policies for data collection and usage in AI development.

  • Privacy by Design: Embedding GDPR principles from the very beginning of the AI development lifecycle, not as an afterthought.

Conclusion

The incredible potential of AI models like GPT-4o cannot be unlocked by sidestepping fundamental data protection rights. Establishing a clear and defensible lawful basis under GDPR for the vast datasets used in AI training remains one of the most significant hurdles for the AI industry. Navigating this requires careful legal analysis, ethical consideration, technical innovation, and a genuine commitment to respecting individual privacy in the age of artificial intelligence.

Disclaimer: This blog post provides general information and analysis based on publicly available resources. It does not constitute legal advice. Organizations should consult with qualified legal counsel for advice specific to their situation regarding GDPR compliance and AI.

Catalogue

·

Introduction

The GDPR Mandate: Lawfulness, Fairness, and Transparency

The AI Training Data Dilemma: Consent vs. Legitimate Interests

Recent Developments and the GPT Context

Analysis: The Uncomfortable Fit

Looking Ahead: Towards Responsible AI Training

Conclusion

GDPR-CCPA

GDPR

GDPR Hub

CCPA/CPRA

CCPA/CPRA Hub

AI Insights

GDPR-CCPA

GDPR

GDPR Hub

CCPA/CPRA

CCPA/CPRA Hub

AI Insights

GDPR-CCPA

GDPR

GDPR Hub

CCPA/CPRA

CCPA/CPRA Hub

AI Insights