The Limits of the GDPR in the Personalisation Context and Beyond

In the EU, regulatory analysis of artificial intelligence in general and personalisation more specifically often starts with data protection law, more specifically the General Data Protection Regulation (GDPR). This is unsurprising due to the fact that training data often contains personal data and that the output of these systems can also take the form of personal data. There are, however, limits to data protection’s ability to function as a general AI law. My intervention highlights the importance of being realistic about the GDPR’s opportunities and limitations in this respect. It examines the application of certain elements of the GDPR to data-driven personalisation and highlights that whereas the Regulation indeed applies to the processing of personal data, it would be erroneous to frame it as a general ‘AI law’ capable of addressing all normative concerns around personalisation.