It’s not for free, it’s just accessible - The Role of Consent, Purpose Limitation, and the Right to Erasure as GDPR Safeguards in AI Training

Sykora, Lea

It’s not for free, it’s just accessible - The Role of Consent, Purpose Limitation, and the Right to Erasure as GDPR Safeguards in AI Training

Mark

Sykora, Lea ^LU (2025) HARN63 20251
Department of Business Law

Abstract: With Artificial Intelligence (AI) relying heavily on vast datasets, including publicly available personal online data and increasing amounts of fines for data breaches the individuals demand for control over personal data increases. The purpose of this thesis is to analyze the efficacy of the GDPR in granting data subjects control over their personal data when they are used to train AI. Therefore, the research questions are whether data subjects can effectively rely on consent as a legal basis (Art. 6(1)(a)) and the principle of purpose limitation (Art. 5(1)(b)) under the GDPR to ensure control over the processing of their personal data for AI training and if the right to erasure (Art. 17 GDPR) poses an effective right against unwanted... (More); With Artificial Intelligence (AI) relying heavily on vast datasets, including publicly available personal online data and increasing amounts of fines for data breaches the individuals demand for control over personal data increases. The purpose of this thesis is to analyze the efficacy of the GDPR in granting data subjects control over their personal data when they are used to train AI. Therefore, the research questions are whether data subjects can effectively rely on consent as a legal basis (Art. 6(1)(a)) and the principle of purpose limitation (Art. 5(1)(b)) under the GDPR to ensure control over the processing of their personal data for AI training and if the right to erasure (Art. 17 GDPR) poses an effective right against unwanted data processing in AI training. The EU legal method was employed in a dogmatic manner under consultation of the GDPR, AI Act and supporting documents of the EDPB and WP29. This thesis concludes that data subjects cannot effectively rely on consent as a legal basis for processing personal data in the context of AI training,
primarily due to the purpose limitation principle, which conflicts detrimentally with the purposes of AI. Consequently, AI developers may instead rely on legitimate interests as a legal basis (Art. 6(1)(f) GDPR). Although anonymization techniques may exempt AI developers from GDPR compliance, this depends on a case-by-case assessment of the risk of re-identifying personal data. Lastly, this thesis found the right to erasure to be theoretically a powerful right directly invokable by the data subjects, but practically difficult to apply to AI training. Research of machine unlearning (MU) techniques may give hope for an effective enforcement of the right to erasure under the GDPR. (Less)

Please use this url to cite or link to this publication: http://lup.lub.lu.se/student-papers/record/9192399

author

Sykora, Lea ^LU

supervisor

Jonas Ledendal ^LU

organization

Department of Business Law

course

HARN63 20251

year

2025

type

H1 - Master's Degree (One Year)

subject

Law and Political Science

keywords

AI training, GDPR, personal data processing, consent, anonymization, purpose limitation, right to erasure

language

English

id

9192399

date added to LUP

2025-06-03 12:53:11

date last changed

2025-06-03 12:53:11

@misc{9192399,
  abstract     = {{With Artificial Intelligence (AI) relying heavily on vast datasets, including publicly available personal online data and increasing amounts of fines for data breaches the individuals demand for control over personal data increases. The purpose of this thesis is to analyze the efficacy of the GDPR in granting data subjects control over their personal data when they are used to train AI. Therefore, the research questions are whether data subjects can effectively rely on consent as a legal basis (Art. 6(1)(a)) and the principle of purpose limitation (Art. 5(1)(b)) under the GDPR to ensure control over the processing of their personal data for AI training and if the right to erasure (Art. 17 GDPR) poses an effective right against unwanted data processing in AI training. The EU legal method was employed in a dogmatic manner under consultation of the GDPR, AI Act and supporting documents of the EDPB and WP29. This thesis concludes that data subjects cannot effectively rely on consent as a legal basis for processing personal data in the context of AI training,
primarily due to the purpose limitation principle, which conflicts detrimentally with the purposes of AI. Consequently, AI developers may instead rely on legitimate interests as a legal basis (Art. 6(1)(f) GDPR). Although anonymization techniques may exempt AI developers from GDPR compliance, this depends on a case-by-case assessment of the risk of re-identifying personal data. Lastly, this thesis found the right to erasure to be theoretically a powerful right directly invokable by the data subjects, but practically difficult to apply to AI training. Research of machine unlearning (MU) techniques may give hope for an effective enforcement of the right to erasure under the GDPR.}},
  author       = {{Sykora, Lea}},
  language     = {{eng}},
  note         = {{Student Paper}},
  title        = {{It’s not for free, it’s just accessible - The Role of Consent, Purpose Limitation, and the Right to Erasure as GDPR Safeguards in AI Training}},
  year         = {{2025}},
}

LUP Student Papers

LUND UNIVERSITY LIBRARIES

It’s not for free, it’s just accessible - The Role of Consent, Purpose Limitation, and the Right to Erasure as GDPR Safeguards in AI Training