Two of the more controversial pieces of legislation enacted by the EU dealing with the nebulous concept of governing data are the General Data Protection Regulation (GDPR) and the EU AI Act. For companies, these regulations often represent a bothersome compliance hurdle and barrier to entry into the EU market. From a very high level, both the GDPR and the EU AI Act are regulations or a binding legislative act that must be applied across the entirety of the European Union.
The GDPR was adopted in 2016 and went into effect in 2018. The EU AI Act was proposed back in 2021 and officially came into force on August 1st, 2024. The AI Act is currently not fully in effect. All of the obligations should be in effect by the end of 2030. While young legislations, the impact, in particular for the GDPR has been felt globally.
There is a long list of requirements contained in both legislations for compliance. This is seen as setting a high standard by some and seen as a regulatory burden by others. It remains to be seen whether these legislations will stand the test of time and be able to serve as a positive change they were drafted to be, or whether legislators will need to compromise in the face of a global political climate that seeks to capitalize off individual data in order to further new technological developments.
Background on European data law
European data law is concerned with more than just data protection law but can also be extended to the concept of individual privacy. Legislation dealing with data protection is often framed as dealing with the right to data ownership, this is a common framing for “privacy” related legislations including the GDPR. The GDPR is often seen as a success in terms of legislation as it was a result of supranational law-making. Member states have appointed data protection authorities to enforce the GDPR and there are millions, if not billions, worth of fines issued every year, which ensures a moderately high level of compliance with the GDPR by organizations and companies processing personal data in the EU.
How do the regulations deal with new technologies?
A common criticism of the GDPR details its inability to adequately deal with new and emerging technologies.This is dealt with only minorly in the GDPR with no explicit statements about what is allowed. Compliance with the GDPR often forces intricate questions about the type of data processing occurring.
The GDPR is primarily concerned with the concept of personal data. It aims to achieve the safe and transparent processing thereof. Personal data under the GDPR can best be understood as information that can be linked back to an identified or identifiable natural person (GDPR Art.4). Anonymous and non-personal data are both out of scope for the GDPR. The concept of data law is linked to the idea of personal property in the sense that personal data is seen as the property of an individual. Sometimes it is easier to understand the GDPR as a law protecting individuals in the EU’s data ownership rights.
In contrast, the EU AI Act is the first legislation created to grapple with the issue of artificial intelligence. The goal and scope of the AI Act to outline the development and usage of AI systems. As these systems can pose risks to the fundamental rights of individuals in Europe. The AI Act does not intend to replace the GDPR at all but serves to complement the GDPR by detailing the specific additional requirement for artificial intelligence. The GDPR applies in conjunction with the AI Act when personal data is also being processed by an AI system. The AI Act is structured with a risk based approach in contrast to the GDPR’s principle based approach.
Who does the legislation apply to?
The targeted actors in both regulations differ and it is important to understand the distinction created. The GDPR outlines the two ideas of “controller” and “processor.” A controller in the context of the GDPR is some entity that determines the means and purposes of the processing of personal data; while a processor is some entity that processes personal data on behalf of the controller (GDPR Art.3).
In contrast to the GDPR, the EU AI Act details the idea of “provider” and “deployer.” A provider is some entity that develops an AI system or AI model. A deployer is some entity that utilizes an AI system but this does not concern AI systems for personal use (AI Act Art.3). It is not guaranteed that a provider is necessarily a controller and that a deployer is a processor. The nuance in targeted actors for each legislation allows them to accomplish their two distinct respective goals.
What are the similarities between the EU AI Act and the GDPR?
Within the two regulations, there are general similarities between some of the articles.
| Regulatory Concept | GDPR Framework | EU AI Act Framework | Key Distinction / Takeaway |
| Extraterritorial Reach | Article 3: Applies to companies based outside the EU if they target or process the personal data of individuals within the EU. | Article 2: Applies to AI systems designed outside the EU if they are offered or used within the EU market. | Both regulations protect EU citizens by binding foreign entities to EU standards if they want to do business in the region. |
| Education & Awareness | Articles 32 & 39(1)(a): Mandates DPO-led training and technical measures so employees understand the privacy implications of data processing. | Article 4: Promotes AI literacy to ensure developers and users can make informed, safe decisions regarding the technology. | The GDPR focuses on internal employee training for data handling, while the AI Act emphasizes broader technology literacy for decision-making. |
| High-Risk Classifications | Article 9: Identifies “special categories” of data (sensitive data) that trigger strict, specific processing requirements. | Article 6: Outlines strict classification requirements and secondary compliance rules for High-Risk AI Systems (HRAIS). | Both frameworks isolate high-risk elements (systems vs. data types) and subject them to heightened regulatory scrutiny. |
| Data Governance Scope | Core Principles: Governs data processing, but limits its scope strictly to personal data. | Article 10: Regulates all data sets (personal and non-personal) used for training, validating, and testing AI systems. | The AI Act goes beyond the GDPR by regulating non-personal data if it is used to develop or train AI models. |
| Risk Management | Article 35: Mandates a Data Protection Impact Assessment (DPIA) when new processing technologies pose a high risk to natural persons. | Article 9: Requires high-risk AI systems to establish, document, and maintain a continuous risk management system. | Both require proactive risk modeling before deployment, shifting the burden of safety onto the entity. |
| Human Oversight | Article 22: Provides safeguards and restricts solely automated decision-making that carries legal or significant effects. | Article 14: Mandates that high-risk systems be designed with built-in human-machine interface tools so natural persons can effectively oversee them in real-time. | The AI Act requires systemic, design-level oversight tools, whereas the GDPR focuses on a person’s right to contest purely automated decisions. |
Other Shared Regulatory Principles
Beyond these specific pillars, both frameworks share broad structural similarities designed to ensure corporate accountability. If you are building a compliance strategy for both, you will find overlapping requirements across:
- Transparency & Accuracy: Ensuring systems and data processing are clear and correct.
- Accountability & Retention: Keeping robust documentation and managing data lifecycles.
- Incident Response: Managing corrective actions, breach reporting, and regulatory cooperation.
Understanding the difference in penalties
Deviating from the topic of compliance to non-compliance, the penalty for noncompliance differs between the two legislations.
In Article 99 of the AI Act penalties are outlined. Unlike the GDPR, the penalty for noncompliance is “administrative fines of up to EUR 35 000 000 or, if the offender is an undertaking, up to 7 % of its total worldwide annual turnover for the preceding financial year, whichever is higher” (AI Act Art.99).
The penalty for noncompliance under the GDPR is “administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher” (GDPR Art 83). The largest fine delivered for noncompliance with the GDPR since inception was a fine to Meta. The fine was for 1.2 billion in 2023. There have been no fines issued for noncompliance with the AI Act, as it is still not in full effect yet. The requirements for high risk AI systems are coming into force in August of 2026. The penalty for noncompliance with the AI Act is more severe. This is due to the processing being deemed as a higher risk with potentially more far reaching societal consequences.
Are both just long and complicated legal texts?
The similarities of the two laws from a high level perspective deal two qualms. That is the length of the regulations and the convolution of the pieces of legislation. The GDPR is a lengthy regulation containing 11 chapters and 99 articles. The AI Act contains 13 chapters, 113 articles, and 13 annexes. Needless to say, the length of these legislations is daunting for entities simply wishing for compliance.
- The GDPR is more general than the EU AI Act as it deals with controllers and processors of personal data that are companies or individuals. Individuals residing in the European Union are confronted with the GDPR on a daily basis from forms at the doctors to notices on a random website they are surfing.
- The AI Act on the other hand deals with the development and usage of AI systems for commercial endeavors. It is not applicable to most individuals on a granular scope like the GDPR.
Neither document is straightforward. As a result, various data protection authorities like the CNIL in France, AEPD in Spain, etc. often release clarifying guidelines for compliance. The highly legal wording of the laws often demand clarification and guidance through setting precedent in case law.
Can EU regulations shape the norm?
There are contending opinions about the development of EU regulations. Consider the perspective that the EU is a global power and a major player in the world’s economy. Companies or entities that wish to participate in the European market are subject to comply with the GDPR and other applicable European regulations. As a result, jurisdictions around the world have adopted and molded data protection laws on the GDPR in order to interact in the market. This idea that the EU has the ability to shape a global standard is known as the Brussels Effect and was outlined by Ann Bradford. It is argued that this effect appears when companies prefer the universality of European data law.
In European data law being so strict and of a high standard, compliance with EU regulations ensures compliance with any other applicable data regulations. This saves companies the headache of trying to be compliant with various applicable legislations. EU Commissioner Margrethe Vestager argued in a vein similar to the Brussels Effect. She argued that the EU’s competitive edge comes from the strong privacy and data protection regulations. These standards help to shape a high standard for emerging technologies. This is a relatively positive outlook and looks favorable on the development of the regulations in the EU.
The compliance burden of both legislations
With the exponential development of new technologies, it is often argued that Europe is missing out on the digital revolution. Currently only four of the world’s top fifty tech companies are based in Europe. The Draghi report discusses plans on how to make Europe a commercial center by arguing for various paths to success. There is an emphasis in the report about the burden of regulatory barriers to entry for young companies. The GDPR and the EU AI Act are two similar regulations. However, there are also additional regulations that apply to companies in a similar regard. Consider Germany in which there is the GDPR, a federal data protection law, and state level data protection laws. This heterogeneity with requirements across the EU can make a company wishing to comply with the supranational EU legislation daunted about missing contingencies.
Compliance struggle for smaller companies
This often makes it so smaller companies choose not to operate in the EU, and as a result innovation is halted by the regulations. The AI Act for instance seeks to impose additional requirements on companies developing AI within the EU. As a result, seeking not to deal with the burden of compliance, a smaller AI startup would choose to not develop AI in Europe, taking away potential growth from new technologies within the EU.
- The GDPR created a demand for individuals who are able to help companies interpret and comply. There is sometimes even a requirement of a data protection officer under certain circumstances.
- The AI Act does not require an assignment of such an officer. However due to the complexity of the legislation, assignment of a specific individual or external consulting could be the only viable solution for compliance.
- There is a large monetary and time resource for compliance with just two applicable legislations.
Where does that leave us?
The future remains unclear whether commercial and capitalist endeavors will force the legislations to be less stringent in application. Currently, the length and vagueness of the legislation make it difficult for compliance. The lack of new commercial endeavors in the EU is pushing legislators into potentially relinquishing the strict and high standards. The standards that legislators once boosted in the global political sphere. Since the EU AI Act is not yet in force for high risk AI systems it is hard to know whether the adoption of such a law will be successful.
The AI Act has already shown that there is a need for data protection authorities to provide clarity. Such clarity will ensure that both legislations are implemented and serve their respective services as intended. Ideally, the high standard that Europe has created will hold and incentivize compliance with these well intended regulations.
Feel free to reach out to TechGDPR for any compliance related inquiries and if you want to improve your understanding of the GDPR or the EU AI Act.