Artificial intelligence is rapidly becoming part of our everyday lives – from science and business to the decisions we make daily. Yet alongside this technological progress, important questions are emerging: where does AI get its data, who is allowed to use it, and do current data protection rules still reflect reality?

These questions are now at the center of debate, particularly in light of the European Commission’s proposed amendments to the General Data Protection Regulation (GDPR). The changes could significantly impact not only how AI is developed, but also how each of us relates to our personal data. At the same time, the EU is trying to maintain its role as a global standard-setter in regulation while responding to concerns from businesses about the growing complexity and administrative burden of digital rules.
We spoke with Prof. Dr Saulė Milčiuvienė, a legal scholar at Vytautas Magnus University and a member of the SustAInLivWork Centre of Excellence, whose research focuses on data regulation.
What is currently changing in the European Commission’s proposed GDPR amendments, and why does it matter for AI development?
At the moment, there are two major legislative initiatives proposed by the European Commission that are widely discussed – the so-called Digital Omnibus and the Digital Omnibus for AI. These aim to revise a broad range of EU laws related to cybersecurity, data, artificial intelligence, and privacy.
It is important to understand that these are still proposals. They are being developed under time pressure to ensure that existing regulations do not hinder technological progress. In a way, this is a form of “firefighting,” while the Commission is also planning a broader evaluation of the entire digital regulatory framework.
Public consultations have already taken place, allowing stakeholders to share their views, and the Commission is now assessing the feedback received.
Europe often aims to be both innovative and protective of individual rights. Are these two ambitions truly compatible?
The protection of human rights has always been, and remains, a top priority in Europe. At the same time, it is well established that most rights are not absolute and may be limited under certain legal conditions.
The same applies to the right to personal data protection, which is enshrined in the EU Charter of Fundamental Rights. Over time, the interpretation and application of this right evolves.
The core issue is that new technologies – especially AI – have introduced entirely new ways of using and processing data that were not fully anticipated when the GDPR was developed.
It is worth remembering that GDPR was adopted in 2016, based on a proposal from 2012 –that is more than a decade ago. Digital technologies have advanced dramatically since then. Applying GDPR today can sometimes feel like trying to dress a rapidly growing child in last season’s clothes – the garment itself is still good, but it no longer fits comfortably.
This creates a broader challenge: technology evolves quickly, while EU lawmaking is a slow process. For example, it took more than six years from the initial GDPR proposal to its full application.
Why do data protection issues generate so much debate today?
Legal change is not unusual. However, debates intensify when changes affect fundamental rights.
In this case, we are dealing with the right to personal data protection. The challenge is to find a delicate balance: maintaining a high level of protection while also enabling the development of AI technologies in a supportive legal environment.
Which proposed GDPR changes could most directly affect both developers and everyday citizens?
The Digital Omnibus includes several significant proposals. One of them concerns redefining what counts as personal data. This could potentially reduce the scope of data considered personal. In practice, the same data might be treated as personal data by one entity but not by another, depending on whether they can realistically identify an individual.
However, it appears that this particular proposal may not be adopted. The Council of the European Union has indicated that the current definition should remain, while suggesting that clearer guidance should be developed to reflect technological progress.
Another proposal involves narrowing individuals’ right to access their personal data. It would expand the situations in which data controllers could refuse to provide access. This is partly justified by cases where this right has been used not to protect personal data, but to burden or harm data controllers.
How could these changes affect research and innovation?
The proposals introduce a much broader definition of scientific research. This could allow not only public institutions but also private entities engaged in innovation to collect personal data for research purposes and later use it commercially.
However, the Council of the EU has expressed reservations about such a broad interpretation. It has also emphasized that research can be based not only on legitimate interest but also on public interest, grounded in EU or national law.
Which changes are most directly related to AI development?
Several proposed amendments specifically target AI. For example, there are provisions that would allow the processing of sensitive personal data for the development and use of AI systems. It is also proposed that personal data for AI development could be processed on the basis of legitimate interest, without requiring explicit consent from individuals.
These changes could make AI development easier, but they also raise important concerns. There is ongoing debate about whether they are fully compatible with the EU Charter of Fundamental Rights. Ultimately, they will only come into force if approved by both the European Parliament and the Council.
What does this uncertainty mean in practice?
At this stage, the regulatory framework remains uncertain. This creates additional tension for those developing and implementing AI projects.
At the same time, this is precisely where research projects like SustAInLivWork become especially important. Their role is not only to respond to regulatory change but also to help develop and apply best practices.
Science becomes a space for testing balanced solutions – ones that allow technological innovation to move forward while safeguarding fundamental rights.
