More than six years after it took effect, Europe’s mighty data-protection rulebook is getting its second wind — by stymieing the artificial intelligence plans of Big Tech giants.
In just a few months, Google, Meta, X and LinkedIn have paused or delayed AI projects in the European Union, blaming an old yet familiar foe: Brussels red tape.
The regulatory flex is coming mainly from data protection authorities, which have the power to enforce the EU’s General Data Protection Regulation (GDPR). Ireland’s Data Protection Commission (DPC) in particular has wielded its significant powers to block AI rollouts from the world’s biggest companies — a sharp turn after years of criticism that its regulator was too slow to slap fines on Big Tech for privacy violations.
The blocks to AI technology come at a time when the EU is second-guessing its tradition of heavy-handed regulatory intervention — especially on AI, which is seen as critical in Europe’s efforts to compete with the United States, China and other world regions.
Actions by regulators have reignited the animosity of Big Tech firms toward the EU’s digital and data laws. Meta, Google and others have launched intense lobbying campaigns in recent weeks to hammer home the message with EU officials: Enough with the heavy-handed crackdown on new services.
“Europe has become less competitive and less innovative compared to other regions and it now risks falling further behind in the AI era,” Mark Zuckerberg of Meta, together with CEOs from companies ranging from SAP to Stripe, wrote in a mid-September open letter. In its wake, Europe’s top tech executives have backed the Big Tech firms, warning against the overregulation of AI or calling out “fragmented” regulation that is implemented inconsistently.
Google’s top lobbyist Kent Walker, in an interview with POLITICO this week, urged EU officials to “step back” and consider how to “simplify and streamline” the tech regulatory framework. A report by Google said that only with such a “pro-innovation” regulatory framework can the EU add €1.2 trillion to €1.4 trillion to its GDP over the next 10 years.
AI buck stops in Ireland
Tech firms are facing scrutiny from all sides over what data they use to train their AI models.
Publishers are figuring out how to get a fair deal from AI-fueled chatbots gobbling up their content, with the New York Times suing OpenAI and Microsoft. Musicians and artists are equally worried, with Universal Music Group briefly taking its music off TikTok over AI concerns.
In Europe, the immediate scrutiny is running through privacy watchdogs that supervise how tech firms handle Europeans’ personal data like posts, images and interactions on social media. These authorities are responsible for checking if tech firms have the right to use their users’ personal data to feed AI.
A key question that regulators are still figuring out is the so-called legal basis to use data: valid grounds (of which there are six under the GDPR) that tech and social media companies rely on to process their data for AI purposes.
“The tech companies that are scraping the internet to feed their AI systems need a reality check: Consumers should always remain in control over their personal data,” European consumer rights association BEUC said in a comment.
“GDPR is there to steer innovation in the right direction. If it doesn’t respect people’s fundamental rights, you don’t have good innovation,” said Tobias Judin, a legal expert at Norway’s data protection authority.
For Big Tech, that means delays and difficulties. Meta, X and LinkedIn have all recently delayed their rollout of new artificial intelligence applications in Europe after an intervention by the Irish DPC. Google’s PaLM2 model is facing an inquiry by the same regulator, which also forced Google to pause the release of its Bard chatbot last year.
Those moves suggested a stark shift in strategy at the Irish authority, which under the leadership of former Commissioner Helen Dixon faced widespread criticism for being too slow to hold Big Tech to account for privacy violations. The authority saw a change of guard earlier this year, with two co-commissioners, Des Hogan and Dale Sunderland, taking over from Dixon. Hogan and Sunderland have sought to avoid criticism from their peers in Europe, taking a tough line against Big Tech that better fits how other regulators want Ireland to act.
In the case of X, the Dublin regulator took the unprecedented step of asking Ireland’s High Court to order the social media network to suspend, restrict or prohibit its processing of personal data.
Italy’s privacy regulator intervened even earlier by banning OpenAI’s ChatGPT in the country in March 2023 — just as the release of the chatbot sent shockwaves across the tech sector.
It’s not just data protection law, either. Apple over the summer announced a new iPhone model powered by AI but is holding off on rolling it out in Europe because it needs to check if it would hold up against the EU’s new digital competition law, the Digital Markets Act.
EU’s ‘shadow legislator’
One of the main gripes of AI firms is that they don’t know which way regulators will rule on a given issue.
“Inconsistent and ever-evolving interpretations of the GDPR rules amount to legal uncertainty for businesses of any size, which impacts the EU’s overall capacity for digital innovation and growth,” said Claudia Canelles Quaroni of tech lobby group CCIA, whose members include Apple, Google, Meta and X.
Tech firms have notably been frustrated with the European Data Protection Board, a group that assembles EU data protection authorities to coordinate enforcement and that steps in where different authorities disagree on cases and fines. The board, through guidance and opinions, has been “acting almost as a shadow legislator,” Quaroni said.
Hogan and Sunderland, who lead the Irish privacy authority, recently asked the Board for an opinion on “issues arising from the use of personal data in AI models.” The opinion is due in late December and will be binding on regulators. The Board is also working on guidelines for companies on how to scrape large datasets on the web, POLITICO reported earlier.
Kent Walker, Google’s top lobbyist, told POLITICO that the firm is “looking forward” to the opinion, which he said “may provide the opportunity to be able to move at a faster pace in introducing [AI].”
But others have disparaged how the Irish regulator is now aligning itself with other EU authorities.
Nick Clegg, No. 2 at Meta, told the Irish Independent in September that the DPC had become a “mailbox” for other data regulators. Though he didn’t name names, Meta was enraged by Norway’s intervention in the Irish regulator’s case that eventually led the firm’s launching a paid, ad-free subscription model for European users of its flagship social media Facebook.
“My fear is that it will just lead to a situation where whichever [data protection authority] shouts the loudest will then start setting policy,” Clegg said.
Mathieu Pollet contributed reporting.