5 Data and data transfers

AI systems rely on vast amounts of data, much of which includes personal and sensitive information (and which is subject to specific legal protections under data protection law in the UK, including the General Data Protection Regulation 2018). This presents significant legal and ethical challenges.

Organisations must ensure that personal data is processed lawfully, fairly, and transparently. This includes honouring principles such as purpose limitation and data minimisation. Under the Data Protection Act 2018 in the UK, organisations are required to process personal data lawfully, fairly, and transparently.

However, many GenAI models are trained on internet-scraped data without clear user consent, raising concerns about the legal basis for processing and potential violations of privacy. Furthermore, inferential capabilities of AI can generate sensitive information about individuals from seemingly harmless inputs, escalating privacy risks.

For instance, training LLMs using data scraped from the internet raises substantive concerns over non-compliance with data protection obligations. Care should be taken when using or training GenAI or LLMs given these issues.

Image generated with AI using the prompt: Generate an image of cross border data transfers.

Show description|Hide description

A 2D digital illustration conceptually represents cross-border data transfers. A dark blue world map with lightly shaded continents serves as the background. In the center, a white cloud icon with blue up and down arrows symbolises cloud data exchange. On either side of the cloud, there are tan file folder icons – one on the left, over North America and one on the right, over Europe – connected to the cloud by white arrows pointing in opposite directions. Below the graphic, the bold text reads "CROSS-BORDER DATA TRANSFERS." The design is clean and modern, conveying the global flow of digital information.

Image generated with AI using the prompt: Generate an image of cross border data transfers.

Cross-border data transfers complicate compliance further. When data is sent to countries without adequate protections, organisations must use safeguards like Standard Contractual Clauses (SCCs). Yet these are often insufficient given global enforcement asymmetries.

Experts increasingly recommend collective governance strategies (Lynskey, 2021) – such as public registers of training datasets – to improve transparency and accountability in AI data practices.