The growing use of agent-based artificial intelligence will test how organizations comply with existing data protection laws, a new study warns.
Innovations test the limits of existing rules, especially when AI agents perform complex multi-step tasks with limited human input.
The unique capabilities of Agentic AI require a more comprehensive approach that goes beyond existing data protection measures, the study says.
This study argues that data protection compliance should be supported by stronger accountability mechanisms, governance measures, and forms of human oversight adapted to different levels of agent AI autonomy.
These safeguards should include documentation, auditability, impact assessment, and continuous monitoring throughout the agent AI lifecycle.
Unlike traditional generative AI, agent AI systems are designed to pursue complex goals and coordinate multi-step actions, often with limited human input. This creates unique interpretation and compliance challenges for organizations subject to data protection laws, including GDPR.
The study, by Professor Anna Beduski from the University of Exeter, argues that while GDPR remains an appropriate standard for protecting personal data, the unique challenges posed by agentic AI require a broader approach that includes governance, accountability, the assessment of people’s rights and meaningful monitoring.
Professor Beduschi said: “Agent AI will not make the GDPR obsolete, but it shows why data protection cannot operate in isolation from broader issues such as governance, accountability and fundamental rights.”
“AI agents should not be treated as data controllers under the GDPR. AI agents, while sophisticated, remain tools deployed by natural or legal persons. The problem is that, in practice, AI agents may decide how personal data processing is carried out by choosing methods, approaches, task sequences, or adaptation strategies. Different degrees of autonomy in decision-making can introduce complex chains of responsibility and make access, portability, and the exercise and enforcement of data subject rights difficult. ”
The study explains that compliance with the right to erasure can become more difficult when personal data influences the dynamic and evolving decision-making processes of agent AI systems. This can reveal gaps between legal standards and technical reality.
Professor Beduschi said: “Generative AI is already creating challenges for data protection compliance. But agent AI adds further challenges, as these systems may operate autonomously over time, link multiple decisions, and pursue goals through self-guided steps. This means the legal challenge is not just to explain a single output, but to understand and oversee evolving processes of action, adaptation and decision-making.”
“As AI agents become more autonomous, safeguards will need to move away from embedded human involvement and intervention to more structured system-level continuous monitoring that can recalibrate and, if necessary, stop autonomous processes.”
/Open to the public. This material from the original organization/author may be of a contemporary nature and has been edited for clarity, style, and length. Mirage.News does not take any institutional position or position, and all views, positions, and conclusions expressed herein are those of the authors alone. Read the full text here.
