GDPR: Data Protection as a Fundamental Right
GDPR (General Data Protection Regulation) applies to any organization that processes personal data of EU residents, regardless of where the organization is located. Fines: up to 4% of annual global turnover or 20 million euros, whichever is higher. Key principles: lawfulness, fairness, transparency (Article 5.1a), purpose limitation (5.1b), data minimization (5.1c), accuracy (5.1d), storage limitation (5.1e), integrity and confidentiality (5.1f), and accountability (5.2).
AI-generated code must implement GDPR by default for any application that serves EU users. This is not optional — even a SaaS product based in the US that has EU customers must comply. AI rule: 'If the application may have EU users (which is nearly all web applications): implement GDPR-compliant data handling from the start. It is far more expensive to retrofit GDPR compliance than to build it in.'
Personal data under GDPR: any information relating to an identified or identifiable natural person. This includes: names, email addresses, IP addresses, cookie identifiers, location data, device fingerprints, and online identifiers. The definition is broader than most developers expect. AI rule: 'Treat all user-identifying data as personal data under GDPR: names, emails, IPs, cookies, device IDs, location, and any data that could identify someone when combined with other data.'
Data Subject Rights: Code Must Enable Them
Right of access (Article 15): users can request all personal data held about them. AI rule: 'Generate a data export endpoint that compiles all personal data for a user across all data stores (database, file storage, logs, analytics). Format: machine-readable (JSON or CSV). Response time: within 30 days. The AI must design data models that make it possible to find all data associated with a user ID.'
Right to erasure (Article 17 — right to be forgotten): users can request deletion of their personal data. AI rule: 'Generate a user deletion workflow that: soft-deletes immediately (stops processing), hard-deletes personal data within 30 days, anonymizes data that must be retained for legal reasons (replace personal identifiers with anonymized IDs), and cascades deletion to all subsystems (if the user's data is in multiple services, all must delete). Verify deletion completeness.'
Right to data portability (Article 20): users can request their data in a structured, commonly-used, machine-readable format. AI rule: 'Generate data export in JSON or CSV format. Include: profile data, content created by the user, activity history, and preferences. The export format must be usable by other services (not a proprietary format). This is different from the access right — portability requires a format that enables transfer to another service.'
Right to rectification (Article 16): users can correct inaccurate personal data. Right to restriction (Article 18): users can request that their data is not processed while a dispute is being resolved. AI rule: 'Generate profile editing capabilities for all personal data fields. Generate a restriction flag that halts processing of the user's data while maintaining the data (not deleting it).'
A user requests account deletion. You delete from the main database. But their data also exists in: the search index (Elasticsearch), the email marketing platform (Mailchimp), the analytics system (Mixpanel), the CDN cache (Cloudflare), backup snapshots, and log files. GDPR requires deletion from all systems. The AI must generate a deletion workflow that tracks all subsystems holding user data and cascades the deletion to each one, with verification that each system completed the deletion.
Consent Management and Lawful Basis
Lawful basis (Article 6): every processing of personal data must have a lawful basis. The six bases: consent, contractual necessity, legal obligation, vital interests, public task, and legitimate interests. AI rule: 'Before the AI generates a feature that processes personal data: identify the lawful basis. Most SaaS features: contractual necessity (the user signed up for the service) or consent (the user opted in). Marketing emails: consent required. Analytics: legitimate interest (with balance test).'
Consent requirements (Article 7): consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes: not valid consent. Bundled consent (accept all to use the service): not valid. AI rule: 'Consent UI: clear language, specific purpose, separate checkboxes for different purposes (marketing, analytics, third-party sharing), no pre-ticked boxes, and a way to withdraw consent as easily as it was given. Store: timestamp, version of the consent text, and the specific purposes consented to.'
Cookie consent: GDPR (combined with ePrivacy Directive) requires consent before setting non-essential cookies. AI rule: 'Cookie banner: block non-essential cookies (analytics, advertising, tracking) until the user consents. Essential cookies (session, security, preferences): do not require consent. Generate a consent management system that: shows cookie categories, allows per-category consent, stores consent decisions, and loads third-party scripts only after consent.'
Under GDPR, consent must be an affirmative action. A pre-ticked checkbox that says 'I agree to receive marketing emails' is not valid consent — the user did not actively choose. The AI must generate consent forms with: unchecked boxes by default, clear description of each purpose, separate consent per purpose (do not bundle marketing consent with terms of service), and equally prominent accept/decline options.
Privacy by Design and DPIAs
Article 25 — Data protection by design and by default: implement appropriate technical and organizational measures to implement data protection principles. AI rule: 'Every new feature: minimize data collection (collect only what is needed), pseudonymize where possible (use user IDs instead of names in internal processing), encrypt personal data at rest and in transit, implement access controls (only authorized personnel access personal data), and set retention limits (auto-delete after the retention period).'
Data Protection Impact Assessment (DPIA — Article 35): required when processing is likely to result in high risk to individuals. Triggers: large-scale processing of sensitive data, systematic monitoring of public areas, automated decision-making with legal effects. AI rule: 'When the AI generates features involving: profiling, automated decisions affecting users, large-scale personal data processing, or sensitive data (health, biometric, political views): flag for DPIA review. The AI cannot determine whether a DPIA is required — but it can flag features that likely trigger one.'
Cross-border data transfers (Chapter V): personal data of EU residents cannot be transferred outside the EU/EEA without adequate safeguards (adequacy decision, Standard Contractual Clauses, Binding Corporate Rules). AI rule: 'Infrastructure hosting: verify that personal data is stored in the EU/EEA or in a country with an adequacy decision. Cloud services: select EU regions. Third-party processors: verify SCCs or adequacy. The AI generating infrastructure code should default to EU regions for applications serving EU users.'
GDPR Chapter V restricts transferring personal data outside the EU/EEA. The simplest compliance approach: store EU users' data in EU cloud regions. AWS eu-west-1 (Ireland), GCP europe-west1 (Belgium), Azure West Europe (Netherlands). If data must flow to the US: Standard Contractual Clauses (SCCs) with supplementary measures (encryption in transit + at rest, access controls preventing US government access to plaintext). The AI should default to EU regions when generating infrastructure for EU-facing applications.
GDPR AI Rules Summary
Summary of AI rules for GDPR-compliant code generation.
- Personal data: broader than expected. Names, emails, IPs, cookies, device IDs, location all qualify
- Right of access: data export endpoint returning all user data in 30 days. Machine-readable format
- Right to erasure: deletion workflow with soft-delete, hard-delete, cascading, and verification
- Right to portability: JSON/CSV export in a format usable by other services
- Consent: freely given, specific, informed. No pre-ticked boxes. Easy withdrawal. Stored with timestamp
- Cookies: block non-essential until consent. Per-category consent. Load scripts only after consent
- Privacy by design: minimize collection, pseudonymize, encrypt, access-control, retention limits
- Cross-border: EU regions by default. SCCs for non-EU processors. Verify adequacy decisions