Can a Machine Learn Under the GDPR?

Posted: 16 Mar 2018 Last revised: 3 Aug 2020

Date Written: December 16, 2018


Recent advances in artificial intelligence (AI) and machine learning technologies are poised to open up opportunities for progress in a variety of sectors. In areas ranging from precision medicine to autonomous vehicles, AI and machine learning could play a key role in the development of data-driven research and an increasingly connected global economy. Given the dependency of AI and machine learning systems on ever-larger volumes of data, laws that protect data could have an impact on the development and commercialization of these tools. The European Union’s (E.U.’s) General Data Protection Regulation (GDPR) is one such data protection law. The GDPR’s impact on research into AI and future practical applications is uncertain. One thing is clear, however: the researchers and commercial enterprises intending to use AI and machine learning will soon have to comply with a variety of provisions that aim to increase data subject’s control over their data and how it is used. This paper aims to answer threshold question: Is GDPR compliance possible for a company utilizing machine learning or AI with the rights it newly articulates in effect? This paper contends that, given the current guidance available, four of those vested rights pose a considerable challenge for a company that is developing or using machine learning and AI technologies. Those rights are: 1) Right Against Automated Decision-Making (i.e., Right Against Profiling); 2) Right to Erasure (i.e., Right to be Forgotten); 3) Right to Data Portability; and 4) Right to Explanation. To make this argument, first, the paper outlines how European privacy law effectuates the aforementioned rights under the 1995 Data Protection Directive. The second section provides a general overview of the GDPR and its intended operation. The third section discusses how the four aforementioned GDPR rights might apply to AI and machine learning research, development, and commercial deployment, with a particular focus on how the operators of these systems acquire data, use data, and apply AI to specific tasks. For illustrative purposes, the paper examines these issues in the context of a hypothetical company attempting to deploy AI-dependent tools in a GDPR-compliant manner. Specifically, the paper examines the overall effect compliance with the GDPR will have on the relative robustness of the business’s AI-inflected services for European users. Given the hefty maximum penalty the GDPR potentially imposes on those not in compliance with its provisions, it is essential for any company seeking to take advantage of artificial intelligence or machine learning technologies to understand the burden the GDPR places on their development and use.

Suggested Citation

Thayer, Joel, Can a Machine Learn Under the GDPR? (December 16, 2018). TPRC 46: The 46th Research Conference on Communication, Information and Internet Policy 2018, Available at SSRN:

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics