PrivacySignal
GDPR / Intl

Thought for the week: Web scraping for generative AI is subject to the GDPR

IAPP · · International · GDPR & International

A commentary from the IAPP argues that web scraping used to build generative AI training datasets falls within the scope of GDPR, meaning the collection and processing of personal data found online is not exempt simply because it occurs at scale or at the infrastructure level.

Why this matters: A lot of AI development runs on scraped data. Companies pull text, images, and other content from across the web, and some of that content includes real people. Names, opinions, medical posts, forum entries. GDPR has rules about collecting personal data, and those rules do not disappear because the collection is automated or the end product is a language model. If this reading holds, AI developers cannot treat the open web as a free data mine. They need a lawful basis, just like anyone else collecting personal information.

Who should care: Lawyers · Privacy officers · AI governance · General readers · Policy

This summary is AI-assisted and may contain errors. It is an original briefing to help you gauge significance quickly — not a reproduction of the source. Always read the linked original before relying on it. See our methodology.

Related stories

GDPR / Intl
EDPB · · EU

EDPB sheds light on anonymisation and web scraping for generative AI and adopts final version of guidelines on blockchain

The European Data Protection Board has adopted new guidelines on anonymisation, web scraping for generative AI, and blockchain data processing. The anonymisation guidance incorporates recent Court of Justice of the EU case law to clarify when data can genuinely be considered anonymous under European privacy law.

Who should care: Lawyers · Privacy officers · AI governance · General readers · Policy

#gdpr#ai#privacy Read original →
GDPR / Intl
EDPB · · EU

EDPB and AMLA to develop Joint Guidelines on partnerships for information sharing

The European Data Protection Board and the newly established Anti-Money Laundering Authority have announced a joint effort to develop guidelines on how financial institutions can share customer information to fight money laundering and terrorist financing without violating data protection rules. The collaboration stems from an explicit provision in the EU's AML Regulation allowing such information exchanges.

Who should care: Lawyers · Privacy officers · AI governance · Compliance · General readers · Policy

#gdpr#regulation#privacy Read original →
GDPR / Intl
noyb (None of Your Business) · · EU

US Supreme Court just blew up EU-US Data Transfers

The US Supreme Court's ruling in Trump v. Slaughter has put the FTC's independence in doubt, which directly threatens the legal foundation of EU-US data transfer agreements. The current adequacy framework cites the FTC as an independent enforcer 259 times, a requirement under EU law that may no longer be satisfied.

Who should care: Lawyers · Privacy officers · AI governance · General readers · Policy

#gdpr#privacy Read original →
GDPR / Intl
M Maryland Association of Counties · · International

Attorney General Releases Guidance on Community Trust and Data Privacy Acts

A state Attorney General has released formal guidance on laws governing community trust and data privacy, providing direction to counties on how to interpret and apply both statutes. The guidance appears aimed at helping local governments align their practices with the requirements of the acts.

Who should care: Lawyers · Privacy officers · Compliance · General readers · Policy

#state-privacy#regulation#privacy Read original →
GDPR / Intl
CNIL · · EU / France

Emerging technologies and the protection of children: G7 data protection authorities agree on key principles

Data protection authorities from G7 nations have jointly adopted a set of principles addressing how emerging technologies should handle children's data and safeguard minors online. The agreement signals coordinated regulatory intent across major democracies to hold technology developers to higher standards when children are involved.

Who should care: Lawyers · Privacy officers · AI governance · General readers · Policy

#gdpr#privacy Read original →
GDPR / Intl
DataBreaches.net · · International

UK: ICO statement on ‘Edtech examined’ report

The UK Information Commissioner's Office has published a report summarizing findings from its audits of educational technology providers, outlining how those companies handle personal data and where improvements were identified or made.

Who should care: Lawyers · Privacy officers · AI governance · General readers · Policy

#gdpr#privacy Read original →