The relationship between data protection and AI is incredibly close, which is why concepts introduced by the GDPR are also relevant in the field of AI. The transformation in the meaning of one of the most frequently used terms in the GDPR lexicon is remarkable. This word, which ranks high in GDPR vocabulary, is “data processing,” and it has recently acquired an entirely new significance.
During the “IT ancient era,” which lasted until the end of 2022, and in today’s AI-driven world, data protection documentation was required to regulate IT systems that processed personal data. A classic example of this is the operation of enterprise resource planning (ERP) systems.
In these “push-button” systems, data we transferred was processed through predefined operations. As these were closed systems, the outcome was always predetermined.
We would like to note that history appears to be repeating itself once again. The “push-button” analogy, symbolizing obsolescence, was popularized by Nokia’s mobile phones. Nokia continued to manufacture push-button phones even when the rest of the world had moved to touchscreens. As we stand at the threshold of a new IT era, the “push-button” label can easily be applied to programs that are becoming obsolete because they lack AI integration, making it impossible for users to execute common tasks with a simple command. This naturally involves significant user profiling, which, while not the focus of this article, is a noteworthy point.
Returning to the core issue, in these “push-button” systems, the user was the data processor, manually interacting with the graphical user interface to process the data. From the perspective of the AI era, this was a “misleading” form of data processing because the user controlled the process up to the final result.
This crucial control element—what we consider to be the key factor—is now absent in AI-assisted data processing. Users give commands through natural language, but they are no longer actively involved in the execution of the process.
The rise of AI has fundamentally changed the nature of data processing. The individual, once an active participant, is now a passive observer. Handing over control to AI opens a new chapter in data protection history and presents significant challenges. Companies and organizations must proactively review their data protection practices to ensure they meet the demands of the AI era. Likewise, users need to understand how their data is being used by AI systems and what rights they have to protect it.
AI systems’ capabilities extend far beyond simple data processing, touching on areas like user profiling and predictive analytics, which carry heightened data protection risks.
Data protection documentation must clearly and transparently explain how AI is being used to process data and what safeguards are in place to protect individual rights and freedoms. Only through such clarity can the benefits of AI be harnessed in alignment with the core principles of data protection.
Dr. Kozsla László, AI Officer
Dr. Miklós Péter, GDPR lawyer