Europe’s AI Act is Not Playing Nice with GDPR and That is a Big Problem for You
Did you think the AI Act will overshadow the GDPR? Not so fast. This post delves into their tangled relationship, and what it means for you.
In case you missed the emerging developments from the EU, the implementation of the AI Act is approaching at warp speed. But in its slipstream, it is kicking up a lot of questions, especially for those of us already wrestling with the GDPR. Now that the Council has released a fresh summary of how these two “titans” will interact, it's time for us to dig in.
The document is a confidential Council of the EU summary from April 2025 outlining the key takeaways from a joint debate on how the Artificial Intelligence (AI) Act will interact with the General Data Protection Regulation (GDPR).
Held under the Polish Presidency, the meeting brought together data protection and telecom policymakers from EU Member States.
The discussion focused on practical challenges of implementing both laws simultaneously, particularly for regulators and AI system providers.
Key concerns included the differing approaches of the two laws: the GDPR centres on data protection and fundamental rights, while the AI Act takes a product safety and risk-based approach to regulating AI systems.
This creates legal uncertainty, risk of double sanctions, and overlapping compliance obligations, especially for high-risk AI applications using personal data.
Member States called for clearer EU-level guidance, shared templates for assessments, closer cooperation between data protection and AI authorities, and integrated national governance structures.
The role of regulatory sandboxes was also discussed as a way to support innovation while ensuring legal compliance.
The document reflects growing pressure on EU institutions to harmonise interpretations, streamline enforcement, and clarify expectations ahead of the AI Act’s full implementation, particularly in scenarios where both laws apply at once.
Two Tech Laws, Two Philosophies 😵💫
Let us not sugar-coat it. The AI Act and the GDPR might both be EU laws, but they don’t exactly operate on the same wavelength.