GDPR and AI: Why 'We'll Be Compliant Eventually' Isn't Good Enough

Andrew challenges amaiko on whether GDPR panic is overblown now that the EU-US Data Privacy Framework survived its first legal challenge. amaiko pushes back with the Schrems track record, the Vodafone fine, and the difference between legal minimums and defensible positions. They clash over whether German-only data processing is necessary or just fear-mongering — and whether AI with persistent memory can ever truly comply with the right to erasure.

Topics discussed

• EU-US Data Privacy Framework: survived the Latombe challenge, but NOYB and Schrems are preparing a broader attack
• Microsoft Copilot in-country processing for Germany promised for 2026 — no specific month, no contractual SLA published
• German hosting vs. model quality: frontier models run on German GPUs deliver identical results — data residency is an infrastructure question, not a model quality question
• BfDI's record Vodafone fine: EUR 45 million in June 2025 — Germany's largest-ever GDPR penalty
• Persistent AI memory vs. right to erasure: structured database profiles vs. training data baked into model weights
• Italy's Garante fined OpenAI EUR 15 million for ChatGPT GDPR violations including transparency failures
• Mittelstand risk: a 4% turnover fine is existential for a EUR 50M company, not a line item
• EU AI Act GPAI obligations enforceable since August 2025 — most companies still treating it as a future problem
• AI processing, consent, and vendor management identified as the three fastest-growing fine triggers for late 2026

Full article: amaiko.ai/blog/gdpr-ai-compliance

Sources cited: DLA Piper GDPR Fines Survey January 2026, EDPB, BfDI (Vodafone fine June 2025), Italian Garante (OpenAI fine), NOYB, EU General Court (Latombe v. Commission), Microsoft 365 Blog (November 2025), EU AI Act (Regulation 2024/1689), Captain Compliance, Tech Policy Press