AI is not "outside the law." Every personal data flow through an AI system is already covered by GDPR, and the EU AI Act adds extra rules for high-risk and general-purpose systems on top.
The main AI and data privacy concerns in 2026 are training without a lawful basis, prompts becoming training data, cross-border transfers, hallucinations about real people, biometric inference, hidden profiling, shadow AI, and AI-driven surveillance.
ChatGPT is not fully GDPR compliant: the Italian Garante banned and then fined it, and the EDPB Taskforce flagged unresolved issues with the GDPR accuracy principle in 2024.
A DPIA is mandatory for high-risk AI processing under EDPB 2024-2025 guidelines, and seven safeguards (from data minimisation to staff training) are achievable this quarter.
A Berlin software engineer once pasted a full customer list into ChatGPT to "summarise the next steps." Two hours later her DPO was on a call with legal. That single paste is the story of why AI and data privacy concerns moved from a niche policy debate to a board-level emergency across Europe in less than a year. This 2026 guide gives you the honest picture of what generative AI does with personal data, how GDPR and the EU AI Act fit together, and the seven safeguards every business should put in place this quarter.
What Are the Main AI and Data Privacy Concerns in 2026?
The main AI and data privacy concerns in 2026 are training on personal data without a lawful basis, prompts becoming future training data, cross-border transfers to US-hosted models, hallucinations about real people, biometric inference, hidden profiling, shadow AI inside companies, and AI-driven surveillance. GDPR still applies in full, and the EU AI Act adds new duties on top.
The 60-Second Verdict
AI is not "outside the law." Every personal data flow through an AI system is already covered by GDPR. The EU AI Act adds extra rules for high-risk and general-purpose systems on top.
Why This Matters Right Now
The European Data Protection Board confirmed in its 2024 ChatGPT Taskforce report that compliance with the GDPR accuracy principle remains a serious open question for large language models. National regulators have already issued orders.
How Generative AI Collects and Processes Personal Data
Generative AI touches personal data at three points. Most teams only notice the last one.
Training Data Scraping and Legality
LLMs are trained on huge volumes of public web data, which often includes personal data. The legal basis under Article 6 GDPR is contested. Most vendors rely on legitimate interests, which regulators are testing case by case.
Inference Time Prompts and Outputs
When an employee pastes a customer email into a chatbot, that text becomes a processing event. If training is on by default, the data may also persist.
Profiling and Automated Decision-Making
When AI scores a CV, a loan, or a fraud risk, Article 22 GDPR on automated decision-making kicks in. The person has the right to a human review.
8 Real AI and Data Privacy Concerns Right Now
This is the section other privacy writers keep linking to, so here it is plainly.
1. Training on personal data without a lawful basis. Web-scraped data sets often include names, photos, and CVs. Whether that is lawful under GDPR is still being litigated across the EU.
2. Prompts becoming future training data. If the vendor's settings allow training on inputs, your team's prompts may resurface in someone else's output.
3. Cross-border transfers to US-hosted models. Most popular AI tools run on US infrastructure, which raises Schrems II concerns even with the EU-US Data Privacy Framework in place.
4. Hallucinations about real people. When AI invents a fact about a named individual, that is a GDPR accuracy problem. The Italian Garante and the EDPB have both flagged this.
5. Biometric inference and emotion recognition. The EU AI Act bans certain uses outright in 2026, like emotion recognition in workplaces and schools.
6. Algorithmic profiling and hidden scoring. Recommender systems and ad-tech profiling continue to draw EDPB attention, especially for sensitive categories.
7. Shadow AI inside companies. Eurobarometer surveys show widespread employee use of consumer AI tools, often without IT approval.
8. AI-driven surveillance and tracking. Public-space biometric identification is heavily restricted under the EU AI Act, with narrow law-enforcement exceptions.
Pasting personal data into a consumer AI tool without a Data Processing Agreement, training opt-out, and a transfer impact assessment is one of the fastest ways for a European business to land on a national DPA's radar in 2026.
GDPR vs EU AI Act: How They Interact
Many teams still think they have to choose between the two. They do not. Both apply, and they were designed to layer on top of each other.
Where GDPR Applies
Any processing of personal data, including by an AI system, falls under GDPR. The European Commission has been clear that the AI Act does not replace GDPR.
Where the EU AI Act Adds New Duties
The AI Act adds risk classifications, transparency duties for general-purpose AI, and outright bans on a few uses. According to the European Parliament, general-purpose AI obligations entered into application in August 2025, with high-risk system rules phased in through 2026 and 2027.
Side-by-Side Comparison
Area
GDPR
EU AI Act
Scope
Any personal data processing
AI systems placed on the EU market
Lawful basis
Art. 6 and Art. 9 GDPR
Not a lawful basis on its own
Risk model
Risk to data subjects
Risk to fundamental rights and safety
Enforcer
DPAs and EDPB
EU AI Office plus national market surveillance
Fines
Up to 4% of global turnover
Up to 7% of global turnover for banned uses
Is ChatGPT GDPR Compliant?
Not fully. Better than it was, still imperfect.
The Italian Garante 2023 Order
In March 2023, the Italian Garante temporarily banned ChatGPT over GDPR breaches around lawful basis, age controls, and accuracy. OpenAI made changes to come back online, but the underlying questions never fully closed.
EDPB ChatGPT Taskforce Status in 2026
The EDPB Taskforce reported in May 2024 that GDPR's accuracy principle remains a structural challenge for LLMs. Several national DPAs continue to investigate in 2026, and OpenAI was fined €15 million by the Italian Garante in late 2024.
AI is not "outside the law." Every personal data flow through an AI system is already covered by GDPR.
Cross-Border Data Transfers After Schrems II
This is the section consultancies usually charge for.
EU-US Data Privacy Framework Today
The 2023 EU-US Data Privacy Framework restored a legal route for many transfers to certified US companies. The Court of Justice of the EU is, of course, expected to test it again.
What Enterprises Should Sign Before Using US AI Tools
A signed Data Processing Agreement with the AI vendor.
Standard Contractual Clauses as a backup to the framework.
A transfer impact assessment documenting risks and mitigations.
Confirmation that training on your data is off by default.
How to Run a DPIA for an AI System
A Data Protection Impact Assessment is mandatory whenever AI is likely to result in a high risk to individuals. The EDPB's 2024-2025 guidelines made that crystal clear.
A Practical 6-Step DPIA Template
Describe the processing. What data, what AI tool, what purpose.
Identify necessity and proportionality. Is AI the least intrusive option.
Assess risks to data subjects. Accuracy, bias, profiling, surveillance.
Document mitigations. Anonymisation, opt-outs, human review.
Consult the DPO and, if needed, the DPA. Article 36 GDPR.
Review every 12 months or when the system changes.
7 Safeguards Every Business Should Apply in 2026
Data minimisation in prompts. Strip names, emails, IDs before pasting.
Anonymisation and pseudonymisation at the data layer before AI sees it.
Vendor due diligence and DPAs, including training opt-out.
Internal AI policy and shadow AI controls with an approved-tools list.
Right to be forgotten in practice, including model and embedding deletion.
Logging and audit trail of who used which tool with what data.
Staff training and awareness every six months, not just once.
The single highest-leverage safeguard is data minimisation in prompts. If the AI never sees the personal data, most downstream concerns dissolve on their own.
Real EDPB and National DPA Actions Against AI Companies
A quick map of where Europe has already moved.
Italy (Garante): ChatGPT ban in 2023, €15 million fine in 2024, broader generative AI scrutiny ongoing.
France (CNIL): dedicated AI department, formal action plan, multiple inquiries.
Germany (BfDI and state DPAs): coordinated questionnaires to AI providers.
Spain (AEPD): referred ChatGPT to the EDPB in 2023.
Ireland (DPC): lead supervisor for most US Big Tech AI deployments in Europe.
FAQ
Training on personal data without a lawful basis, prompts becoming training data, cross-border transfers, hallucinations about real people, biometric inference, hidden profiling, shadow AI, and AI-driven surveillance.
Not fully. The Italian Garante banned and then fined it, and the EDPB Taskforce flagged unresolved issues with the GDPR accuracy principle in 2024.
Indirectly. It adds risk classifications and transparency duties on AI systems but does not replace GDPR. Both apply at the same time.
Every personal data flow into an AI system is a processing activity. It needs a lawful basis, must follow data minimisation, and is subject to data subject rights including erasure.
Strip personal data before prompts, sign a strong DPA, turn off training on inputs, run a DPIA, log usage, and train staff every six months.
Conclusion: The Honest Verdict for DPOs and Business Leaders
AI and data privacy concerns are not going away in 2026. They are reshaping how every European business thinks about lawful basis, data minimisation, and vendor risk. The good news is the law is clear, the EDPB guidance is improving, and the safeguards above are achievable this quarter. Treat AI as a serious processor of personal data, and you will stay both compliant and competitive.
Lock Down AI and Data Privacy This Quarter
Share the one AI privacy safeguard that has actually held up at your organisation in 2026 so other European teams can learn from real-world experience.
