# The Algorithm Is Watching: Can GDPR Keep Up With AI?

> Source: <https://blog.stackademic.com/the-algorithm-is-watching-can-gdpr-keep-up-with-ai-6a98961d9182?source=rss----d1baaa8417a4---4>
> Published: 2026-07-14 07:32:10+00:00

Quick confession: every time I try to explain GDPR to someone in AI, I end up saying some version of “the law technically applies, nobody’s totally sure how.” Not a great place for a regulation to be, eight years in.

Back in 2018 the scary stuff was cookie banners and spam emails. Maybe a breach that leaked some passwords. Nobody writing that law in Brussels was picturing a model trained on a scrape of half the internet that barely existed yet, not at any real scale. Now it’s everywhere. And the law is straining at the seams trying to cover it.

The basic deal GDPR offers is simple enough: your data is yours, you get a say. Ask what a company has. Ask them to fix it. Ask them to delete it. Want to use it for something new? Ask first.

Fine, if your data’s a row in a spreadsheet. Ask, delete, done. AI doesn’t keep your data in a row, it absorbs it. Your old blog post, a photo, a comment you left on some forum in 2013, once that’s folded into a training run, it stops being a “thing” you can point to. It becomes part of billions of numbers that don’t map back to anything readable. A few things follow from that:

This isn’t a rounding error. It’s a real gap between what the law assumes data is, and what data has quietly become.

Article 17, right to erasure. Ask, and the company deletes it. Clean, satisfying, one of the more popular parts of GDPR for exactly that reason.

Then you try it on a trained neural network and the whole idea kind of falls apart.

If your info got swept into a training set, there’s no delete key that just removes your slice. You’re not sitting in one spot, you’re smeared across the whole thing. The only real fix is retraining from scratch, and that’s expensive, slow, and honestly not even guaranteed to fully work.

So companies do what companies do: patch it. Filter certain outputs. Fine-tune the model to stop saying certain things. Poke around with “machine unlearning,” which sounds official but is still mostly a research paper, not a product. Regulators aren’t buying it either, and fair enough, hiding an answer isn’t the same as forgetting it.

Article 22 is about something else: the right not to have a purely automated system make a big call about you. Denied a loan. Filtered out of a hiring pipeline before a human even looks. Quoted a weirdly high insurance rate for no obvious reason.

Problem is, a lot of these systems are black boxes even to the people who built them. Which causes a few headaches:

This is roughly where GDPR runs into the EU AI Act, which stacks on its own rules, transparency, risk tiers, human oversight, specifically aimed at AI. The two laws don’t fit together cleanly. Right now companies are mostly left to figure out the overlap on their own.

To be fair, nobody’s just sitting on their hands waiting for clearer rules. A handful of things have become fairly standard:

None of it fixes the core problem. But it’s a real shift from privacy as a checkbox to privacy as something you actually build around.

GDPR was never written as AI law, and that’s the root of most of this mess. It’s a general privacy framework stretched over a technology that, in this form, didn’t exist yet when the ink dried. The AI Act is Europe trying to close that gap, but enforcement is still playing catch-up with what’s technically possible and I don’t see that changing anytime soon.

If you’re building or shipping AI right now, don’t wait around for friendlier rules. Assume they get stricter, and build for that. It’s coming either way.

[The Algorithm Is Watching: Can GDPR Keep Up With AI?](https://blog.stackademic.com/the-algorithm-is-watching-can-gdpr-keep-up-with-ai-6a98961d9182) was originally published in [Stackademic](https://blog.stackademic.com) on Medium, where people are continuing the conversation by highlighting and responding to this story.
