Policymakers around the world insist that AI technologies should never be exempt from basic privacy protection responsibilities. The European Union’s General Data Protection Regulation (GDPR) has long been considered the standard for handling personal data (regardless of jurisdiction), but it also applies to companies’ use of AI systems. GDPR principles include data minimization (collecting only the minimum amount of data necessary for a purpose), transparency (informing users how their data will be used), and storage limitations (retaining data no longer than necessary).
2024 was a landmark year in the field as several regulators began enforcing privacy laws in cases related to AI applications.
For example, in 2024 the Irish Data Protection Commission fined social media network LinkedIn €310 million for AI-related privacy violations. LinkedIn tracked certain subtle user behaviors, such as how long people spent on posts. The site then used AI to draw inferences about these users, including whether they were actively looking for a new job and whether they were at high risk of burnout. This profiling was used to target advertising and update certain LinkedIn internal ranking systems.
The Irish Commission ultimately determined that, despite the apparent anonymization, such AI-derived inferences could ultimately be traced back to identifiable personal data, thereby violating data privacy laws. The court ruled that LinkedIn violated the privacy of consumers by failing to respect the GDPR’s purpose limitation principle and ensuring informed consent from users. The ruling also forced LinkedIn to implement a real-time consent mechanism and change default ad personalization settings.4
Also in 2024, enforcement action against facial recognition company Clearview AI established the principle that biometric data (such as photos of faces), even data that is technically public (such as insecure social media accounts), poses further privacy concerns.
Clearview scraped 30 billion images from sites like Facebook and Instagram, claiming it didn’t need users’ permission because the photos were publicly available online. This massive data collection operation facilitated the development of an AI-powered facial recognition database by Clearview.
Dutch law enforcement officials condemned Clearview’s approach. The Dutch data protection authority ultimately fined Clearview €30.5 million for violating the personal rights of Dutch citizens in its data collection.5
Finally, in 2024, the European Union expanded AI-specific regulations with the AI Act, which entered into force in August of the same year. The scope of this law is broader than AI-related data, and even more broadly to AI and the risks of AI development). However, many of its provisions relate to data security.data sharing, data governance. As one notable example, the law prohibits: biometric authentication A system that uses data and AI models to identify individuals based on sensitive attributes such as race, religion, and sexual orientation.
