{"slug": "the-algorithm-is-watching-can-gdpr-keep-up-with-ai", "title": "The Algorithm Is Watching: Can GDPR Keep Up With AI?", "summary": "GDPR, designed in 2018 for cookie banners and data breaches, struggles to regulate modern AI systems that absorb personal data into neural networks, making rights like erasure and explanation nearly impossible to enforce. The EU AI Act attempts to close the gap but overlaps messily with GDPR, leaving companies to navigate unclear rules as regulators play catch-up.", "body_md": "Quick confession: every time I try to explain GDPR to someone in AI, I end up saying some version of “the law technically applies, nobody’s totally sure how.” Not a great place for a regulation to be, eight years in.\n\nBack in 2018 the scary stuff was cookie banners and spam emails. Maybe a breach that leaked some passwords. Nobody writing that law in Brussels was picturing a model trained on a scrape of half the internet that barely existed yet, not at any real scale. Now it’s everywhere. And the law is straining at the seams trying to cover it.\n\nThe basic deal GDPR offers is simple enough: your data is yours, you get a say. Ask what a company has. Ask them to fix it. Ask them to delete it. Want to use it for something new? Ask first.\n\nFine, if your data’s a row in a spreadsheet. Ask, delete, done. AI doesn’t keep your data in a row, it absorbs it. Your old blog post, a photo, a comment you left on some forum in 2013, once that’s folded into a training run, it stops being a “thing” you can point to. It becomes part of billions of numbers that don’t map back to anything readable. A few things follow from that:\n\nThis isn’t a rounding error. It’s a real gap between what the law assumes data is, and what data has quietly become.\n\nArticle 17, right to erasure. Ask, and the company deletes it. Clean, satisfying, one of the more popular parts of GDPR for exactly that reason.\n\nThen you try it on a trained neural network and the whole idea kind of falls apart.\n\nIf your info got swept into a training set, there’s no delete key that just removes your slice. You’re not sitting in one spot, you’re smeared across the whole thing. The only real fix is retraining from scratch, and that’s expensive, slow, and honestly not even guaranteed to fully work.\n\nSo companies do what companies do: patch it. Filter certain outputs. Fine-tune the model to stop saying certain things. Poke around with “machine unlearning,” which sounds official but is still mostly a research paper, not a product. Regulators aren’t buying it either, and fair enough, hiding an answer isn’t the same as forgetting it.\n\nArticle 22 is about something else: the right not to have a purely automated system make a big call about you. Denied a loan. Filtered out of a hiring pipeline before a human even looks. Quoted a weirdly high insurance rate for no obvious reason.\n\nProblem is, a lot of these systems are black boxes even to the people who built them. Which causes a few headaches:\n\nThis is roughly where GDPR runs into the EU AI Act, which stacks on its own rules, transparency, risk tiers, human oversight, specifically aimed at AI. The two laws don’t fit together cleanly. Right now companies are mostly left to figure out the overlap on their own.\n\nTo be fair, nobody’s just sitting on their hands waiting for clearer rules. A handful of things have become fairly standard:\n\nNone of it fixes the core problem. But it’s a real shift from privacy as a checkbox to privacy as something you actually build around.\n\nGDPR was never written as AI law, and that’s the root of most of this mess. It’s a general privacy framework stretched over a technology that, in this form, didn’t exist yet when the ink dried. The AI Act is Europe trying to close that gap, but enforcement is still playing catch-up with what’s technically possible and I don’t see that changing anytime soon.\n\nIf you’re building or shipping AI right now, don’t wait around for friendlier rules. Assume they get stricter, and build for that. It’s coming either way.\n\n[The Algorithm Is Watching: Can GDPR Keep Up With AI?](https://blog.stackademic.com/the-algorithm-is-watching-can-gdpr-keep-up-with-ai-6a98961d9182) was originally published in [Stackademic](https://blog.stackademic.com) on Medium, where people are continuing the conversation by highlighting and responding to this story.", "url": "https://wpnews.pro/news/the-algorithm-is-watching-can-gdpr-keep-up-with-ai", "canonical_source": "https://blog.stackademic.com/the-algorithm-is-watching-can-gdpr-keep-up-with-ai-6a98961d9182?source=rss----d1baaa8417a4---4", "published_at": "2026-07-14 07:32:10+00:00", "updated_at": "2026-07-14 07:53:20.105562+00:00", "lang": "en", "topics": ["ai-policy", "ai-ethics", "ai-safety", "artificial-intelligence"], "entities": ["GDPR", "EU AI Act", "Stackademic", "Medium"], "alternates": {"html": "https://wpnews.pro/news/the-algorithm-is-watching-can-gdpr-keep-up-with-ai", "markdown": "https://wpnews.pro/news/the-algorithm-is-watching-can-gdpr-keep-up-with-ai.md", "text": "https://wpnews.pro/news/the-algorithm-is-watching-can-gdpr-keep-up-with-ai.txt", "jsonld": "https://wpnews.pro/news/the-algorithm-is-watching-can-gdpr-keep-up-with-ai.jsonld"}}