Post updated 31.03.2025
In our previous post on the AI Act, we concluded with a remark concerning the AI Act and the GDPR (General Data Protection Regulation): Are the two regulations aligned, or are there contradictions?
In this post we want to explore this question.
NOTE: When speaking about personal data and data subjects in the following, it is in the context of the GDPR. In addition, our concerns about AI and GDPR are mainly directed at general-purpose AI systems (GPAI-systems) where large amounts of (scraped) data is used to train the GPAI-model on which the GPAI-system is built. (See box F below for exact definitions.)
The scope of the AI Act is comprehensive – it applies to any actor and user of AI systems within the jurisdiction of the European Union law, regardless of the actor’s country of residence.
As the GDPR, the AI Act is a regulation, contrary to a directive, which means that EU member countries have to implement it in their own legislation with only minor adaptive changes. The AI Act has EEA (European Economic Area) relevance as well, which means that the AI Act has to be implemented in Norwegian legislation – as the GDPR was.

The diagram shown illustrates the situation: There are some obvious overlaps because AI systems may process personal data, and so GDPR principles apply.
On that basis, we could say “end of story” and “case closed”. However, there are some differences and potential conflicts, making it worthwhile to spend some time on the issue.
It is beyond the scope of this blog post to cover all aspects of the issue at hand, so let’s discuss the fundamentals, with what’s most relevant to Runbox in mind.
(more…)