| Abstract [eng] |
The Master's thesis critically examines the compatibility between general purpose AI and data protection, focusing on the GDPR, the EU's IoT law and the CCPA and its replacement CPRA. The main objective is to assess how GenAI systems comply or conflict with fundamental privacy principles, including purpose limitation, data minimisation, transparency and data subject rights. The analysis starts with a conceptual and legal explanation of personal data and its various classifications in the context of the GenAI systems. It examines how GenAI tools - such as ChatGPT, Claude, Gemini, Copilot and LexisNexis - process both structured and unstructured user data, distinguishing sensitive personal data without explicit user consent or explicit disclosure of the origin of data. Particular attention is paid to risks such as behavioural profiling, data leakage and indirect re-identification. Empirical examples and case law are used to analyse institutional oversight and legal enforcement. The work assesses important regulatory actions (e.g. Garante's OpenAI study, the Polish DPA studies) and the main decisions of courts and international institutions. The use of accountability combined with responsibility, the exposure of black box issues and the initiation of pre-assessments such as DPIAs are potentially seen as regulatory tools for BPDI compliance. In addition, the MSc also evaluates proposed safeguards such as pseudonymisation, encryption and ethical IoT design frameworks, identifying their advantages and disadvantages. It also compares the EU and US legal approaches to transparency, accountability of algorithms and enforcement thresholds, revealing key differences in scope and enforcement. The study concludes with structured conclusions, which highlight the challenges in terms of legislation, ethics and technical solutions, and propose to strengthen cross-border regulatory cooperation. |
