Understanding Priorities: The Importance of Defining AI's Desired Outcomes Before Implementation
A new online platform, copyrighted in 2025, is not intended for users within the European Economic Area (EEA). However, it's essential to understand that websites not directly subject to the General Data Protection Regulation (GDPR) may still fall under its jurisdiction if they process personal data of EEA residents or target them, unintentionally or otherwise.
The GDPR imposes several key privacy and access restrictions on websites relevant to EEA users. One such requirement is the need for explicit consent from users before collecting and processing their personal data, with clear explanations of the purposes and notifications in case of breaches.
Another critical aspect is the regulation of data transfers. Personal data can only be transferred freely outside the EEA to countries with "adequate" data protection standards. In the absence of such an adequacy decision, additional safeguards are required for data transfers.
Regarding cookies and tracking, the UK, post-Brexit, revised its cookie consent rules (under the DUAA 2025). Functional cookies (analytics, preferences, security) no longer necessarily require opt-in but must provide transparency and opt-out mechanisms.
The enforcement of GDPR compliance falls under the purview of regulatory bodies such as the European Data Protection Board (EDPB) and national Data Protection Authorities. These entities monitor and enforce compliance, including for EU institutions like the European Commission, which must adhere to data protection rules in services like Microsoft 365.
For websites that deliberately exclude EEA users, it is advised to implement geo-blocking or disclaimers to avoid inadvertently targeting or processing EEA residents' data, which would trigger GDPR obligations. However, mere intention does not exempt a website from GDPR if EEA personal data is nevertheless obtained or processed.
In summary, while websites not aimed at EEA users may avoid GDPR obligations by excluding such users effectively, any processing of EEA residents' personal data activates GDPR privacy and access restrictions, including consent, transparency, breach notification, and data transfer limitations. It is crucial for platform owners to understand these regulations to ensure compliance and protect the privacy of their users.
[1] European Commission. (2018). General Data Protection Regulation (Regulation (EU) 2016/679). Brussels. [2] European Data Protection Board. (2021). Guidelines 05/2020 on the concepts of controller and processor in the GDPR. [3] Information Commissioner's Office. (2021). Cookie guidance. Retrieved from https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-pecr/cookies-and-similar-technologies/ [4] European Data Protection Board. (2021). Guidelines 06/2021 on the GDPR's territorial scope. [5] European Commission. (2021). Adequacy decisions. Retrieved from https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en
Artificial-intelligence algorithms integrated into the new online platform may need to comply with GDPR's requirements for processing personal data, as they could interact with EEA residents.
Despite the platform not explicitly targeting EEA users, technology advancements, such as AI, could inadvertently lead to the collection and processing of personal data from individuals within the EEA, thereby activating GDPR's privacy and access restrictions.
