by Dr. Christoph Werkmeister, Giles Pratt, Tristan Lockwood, and Dr. Benjamin Blum
In December 2024, the European Data Protection Board (EDPB) and the UK Information Commissioner’s Office (UK ICO) separately published significant guidance on the application of the GDPR to AI.
The EDPB’s Opinion 28/2024 had been much anticipated and generated significant media coverage, with headlines such as ‘AI developers don’t need permission to scoop up data, EU data watchdogs say’ (Politico). The UK ICO’s response to its year-long consultation on privacy issues in generative AI may have attracted less attention, but it also marked a significant development in how businesses should assess AI from a privacy perspective.