Share This Article
The European Commission’s proposal to codify legitimate interest as a legal basis for AI training marks the most significant reform to the GDPR since its adoption. By explicitly recognizing legitimate interest as legal basis for AI training, the Commission aims to reconcile data protection with the realities of modern artificial intelligence.
If confirmed on 19 November 2025 as part of the EU Digital Omnibus package, this change would move beyond interpretation and give legal certainty to a question that has divided EU regulators for years: Can AI developers lawfully train models with personal data under the GDPR?
From legal uncertainty to clear regulatory ground
Until now, the use of legitimate interest as legal basis for AI training has been a grey area. Some national authorities allowed it under strict conditions, while others rejected it outright. The European Data Protection Board (EDPB), in its Opinion 28/2024 on AI model training, took a restrictive view — warning that companies must carry out detailed balancing tests and could not presume that legitimate interest applies automatically.
The Commission’s initiative represents a shift from uncertainty to codification. Instead of relying on variable national interpretations, this reform would anchor AI training directly in EU law through a new provision in the GDPR — similar to the “soft spam” exception under the ePrivacy Directive.
This approach would harmonize rules across Member States and offer a clear, predictable framework for AI innovation.
Legal implications of codifying legitimate interest for AI training
The proposed reform carries major legal and practical consequences for the interplay between the GDPR and the EU AI Act.
1. Greater legal certainty for AI developers
The explicit inclusion of legitimate interest as legal basis for AI training would give companies a stable legal ground for processing personal data to train models, particularly when using publicly available information. It would finally end the patchwork of national interpretations that created compliance risks and discouraged innovation.
2. Harmonization and consistency
By codifying legitimate interest within the GDPR, the EU would ensure uniform application across all Member States. This consistency would simplify compliance for multinational organizations and reduce the risk of conflicting regulatory decisions.
3. Protection of special categories of data
The reform would not open the door to unrestricted processing. Sensitive personal data — including those revealing health, ethnicity, religion, or sexual orientation — would remain under Article 9 GDPR safeguards. Only “ordinary” personal data could fall within the legitimate interest scope, provided controllers perform balancing assessments and apply technical measures such as data minimization and pseudonymization.
4. Impact on transparency and user rights
AI developers relying on legitimate interest AI training would still need to comply with GDPR transparency requirements. Individuals must be clearly informed that their data may be used for AI model training and must retain their rights to access, object, and erasure.
A pragmatic answer to the EDPB’s caution
In its 2024 opinion on AI model training, the EDPB highlighted serious privacy concerns about large-scale data scraping, repurposing, and lack of user awareness. It argued that legitimate interest could not justify indiscriminate collection of personal data.
As analyzed in my previous article “EDPB opinion on AI model Training: How to Address GDPR Compliance?“, the EDPB’s caution was understandable — but it also created regulatory paralysis. The Commission’s proposal aims to restore balance by acknowledging the necessity of data for AI development while maintaining strong safeguards.
This move signals a policy shift toward pragmatism: Europe is realizing that innovation and data protection are not mutually exclusive.
Balancing innovation and fundamental rights
The challenge ahead is ensuring that legitimate interest as legal basis for AI training does not undermine fundamental rights. Even with a codified lawful basis, companies must continue to demonstrate accountability by:
-
Applying privacy-by-design and by-default principles;
-
Ensuring clear transparency notices for data subjects;
-
Avoiding any use of special categories of data without explicit consent.
As to the legitimate interest assessment, a LIA might not be needed if the underlying legitimate interest is expressly provided by the law. However, companies will have prove that their AI training fits within the scope of the relevant provision.
Codification will not exempt companies from compliance — it will redefine the compliance boundaries. The real question is whether authorities and organizations can strike a balance that supports innovation while safeguarding personal freedoms.
Aligning the GDPR with the AI Act
The EU AI Act establishes risk-based obligations but does not define the lawful basis for processing data during training. The Commission’s amendment would fill that gap, creating a coherent bridge between data protection and AI governance.
If implemented effectively, this change could make Europe a global benchmark for trustworthy AI regulation — combining legal certainty with robust rights protection.
However, its success will depend on the scope of the final wording. If too broad, it may weaken privacy protection; if too narrow, it could fail to provide the clarity that businesses urgently need.
A decisive step for Europe’s digital future
The codification of legitimate interest as legal basis for AI training could redefine how Europe approaches both privacy and technological development. It represents a strategic evolution — not a retreat — from the GDPR’s original spirit.
By embedding this principle directly into the regulation, the EU sends a clear message: Europe wants to remain the global leader in responsible AI innovation.
Whether this move will satisfy both privacy advocates and industry players remains to be seen. But it undeniably marks a turning point in the dialogue between data protection and digital progress — one that could shape Europe’s AI landscape for the next decade.
On a similar topic, you can read the article “Enforcing data subjects’ privacy rights in the context of Artificial Intelligence (AI)“.