Top

Can GDPR and the AI Act really coexist?

The official enactment of the EU AI Act 2025 is likely to bring some very big challenges in the implementation and enforcement aspects. Companies using artificial intelligence across the European Union will be subjected to strict regulations concerning data usage, transparency, and risk management, particularly when using high-risk AI systems. Privacy regulators are expected to play a vital role in the use of personal data to develop artificial intelligence models, with potential sanctions for non-compliance. The interplay between the AI Act and GDPR will add further complexity, particularly for global entities.

The EU’s NIS2 Directive will enter its implementation phase, expanding cybersecurity obligations for critical infrastructure and essential sectors. Companies will have to adjust to the stricter breach notification laws, risk management requirements, and supply chain security mandates. Regulators will likely zero in on cross-border cooperation in response to major incidents; early cases will probably establish important precedents. Organizations can expect increased scrutiny over their cyber-security disclosures and incident response plans.

GDPR and AI Act

After years of turbulence, 2025 could mark a turning point for transatlantic and global data flows. The EU-US data privacy framework will face ongoing reviews by the European Data Protection Board (EDPB) and potential legal challenges, but it offers a clearer path forward. In the meantime, the EU could continue to enter into adequacy agreements with key trading partners, paving the way for a harmonized approach to cross-border data transfers.

Companies will need robust mechanisms, such as standard contractual clauses and emerging transfer impact assessments (TIAs), to maintain compliance. The GDPR continues to set the global benchmark for privacy laws, and 2025 will see the ripple effect of its influence as EU member states refine their data protection frameworks. Consumer rights, such as the right to explanation in algorithmic decision-making and stricter opt-in requirements for data use, are expected to be strengthened. Regulators are also likely to target dark patterns and deceptive consent mechanisms, pushing companies toward greater transparency in their user interfaces and data practices.

Between the AI Act and the DMA

The Digital Markets Act (DMA), fully enforceable in 2025, will bring sweeping changes to large online platforms, or “gatekeepers.” Interoperability obligations, restrictions on combining data across services, and limits on targeted advertising will intersect with GDPR compliance. The overlap between DMA and GDPR enforcement will challenge platforms to adapt their practices while balancing privacy obligations. This regulatory synergy could reshape data monetization strategies and set a precedent for digital market governance around the world.

Can GDPR and the AI Act really coexist?
Can GDPR and the AI Act really coexist?

2025 is going to be a very important year for data privacy and the regulation of digital markets, with the European Union leading the way in making the online ecosystem more transparent and accountable. While the new EU-US data privacy framework gives a clearer way forward for transatlantic data flows, it is likely to attract continued scrutiny and potential legal challenges. At the same time, adequacy decisions with other major trading partners will likely be considered by the EU, further solidifying a converged approach toward cross-border data transfers. Meanwhile, the General Data Protection Regulation continues to set the global standard for privacy laws and, in so doing, shapes data protection frameworks worldwide.

A different kind of approach

2025 is likely to see further strengthening of consumer rights, including more transparency in algorithm-driven decisions and tighter controls over how personal information is used. That also means regulators will ratchet up their actions against deceptive practices to encourage businesses to take a more ethical and user-centric approach to dealing with data. Added to this regulatory landscape is the Digital Markets Act, which will be fully in effect from 2025. This act brings comprehensive changes for large online platforms, affecting various aspects, including interoperability and targeted advertising.

The interaction between the DMA and the GDPR will require companies to carefully balance market competitiveness with their obligations in data protection. The confluence of regulatory forces in 2025 might very well change the data monetization game and set a global standard for digital market governance. This is because those regulations are setting an approach of increasing transparency, accountability, and user control within the digital market to create an equitable and more reliable environment for all.

Antonino Caffo has been involved in journalism, particularly technology, for fifteen years. He is interested in topics related to the world of IT security but also consumer electronics. Antonino writes for the most important Italian generalist and trade publications. You can see him, sometimes, on television explaining how technology works, which is not as trivial for everyone as it seems.