European data protection authorities applied GDPR to AI before the EU AI Act fully kicked in — and fines made clear that lawful data processing is a prerequisite for any AI deployment touching EU residents.
Clearview AI
Multiple EU regulators fined Clearview AI tens of millions of euros collectively for scraping facial images without legal basis and failing data subject rights. Italian, French, Greek, and other authorities coordinated findings: biometric data for facial recognition requires strict lawful grounds — "public web scraping" is not enough.
ChatGPT / OpenAI investigations
Italy's Garante temporarily banned ChatGPT in 2023 over missing privacy policy basis, age controls, and data subject rights. Other European DPAs opened investigations into training data lawfulness, transparency, and children's access. The cases established that generative AI providers and enterprise deployers both face GDPR accountability.
Meta and behavioral AI
The Irish DPC fined Meta record amounts partly tied to lawful basis for personalized advertising and data processing at scale — relevant to any enterprise using customer data to train or fine-tune models without explicit governance.
Lessons for enterprise deployers
- Complete DPIAs before processing personal data in AI workflows
- Document lawful basis — consent, contract, legitimate interest analysis
- Honor access, deletion, and objection rights for data used in inference
- Restrict cross-border transfers; record SCCs and transfer impact assessments
- Never paste EU personal data into unapproved US SaaS models without transfer governance
GDPR enforcement shows regulators act on data grounds when AI-specific rules are still phasing in. openRegal intake captures data scope and jurisdiction; assessment flags privacy controls; evidence stores DPIA and legal basis — the paper trail DPAs request.