EU’s AI Action Plan Faces Gaps in Privacy and Compliance Rules
The European Commission released its AI Continent Action Plan on April 9, 2025, outlining an industrial strategy to boost AI capabilities across the EU. The plan emphasizes building compute infrastructure, enhancing access to high-quality data, supporting adoption across sectors, and developing AI talent. Notably, OpenAI’s EU Economic Blueprint, released shortly before, aligns closely with this vision, calling for significant investments in compute, usable data, simpler regulations, and advancements in STEM education.
On the surface, the public and private visions appear to align. However, when assessed against the EU’s legal frameworks, particularly the AI Act and the General Data Protection Regulation (GDPR), several critical policy gaps emerge.
Infrastructure is in Focus, but Execution Remains Vague
The Commission aims to enhance Europe’s compute capacity through the establishment of AI Factories and larger Gigafactories, each designed to accommodate 100,000 high-end AI chips. These facilities are intended to support AI startups and research communities across the Union, backed by the €20 billion InvestAI initiative.
OpenAI also proposes a substantial increase in computing capacity, targeting a 300% rise by 2030, explicitly linking this goal to clean energy and sustainability. However, the Action Plan currently lacks details on how these data-heavy Gigafactories will manage energy use or a timeline for their rollout.
In contrast, India is developing AI public infrastructure under the IndiaAI mission, but it has yet to outline a national compute roadmap comparable to the proposed Gigafactories.
Data Access Goals Conflict with Existing Privacy Rules
Both the Action Plan and OpenAI emphasize that access to usable, high-quality data is vital. The Commission plans to establish Data Labs and implement a Data Union Strategy to consolidate datasets from various sectors. Meanwhile, OpenAI advocates for AI Data Spaces that balance utility with privacy and legal clarity.
However, updated GDPR rules impose stringent restrictions on the reuse of data, particularly personal data. Even anonymized data carries legal uncertainties, depending on its handling. The Action Plan fails to clarify how these new data initiatives will comply with existing privacy regulations, leaving a significant legal gap.
In India, the Digital Personal Data Protection Act offers fewer barriers to anonymized data reuse, yet it still lacks a coherent framework for structured AI data access from public or sectoral sources.
No Clear Path Between AI Act and GDPR
Currently, the AI Act and GDPR operate independently, lacking a cohesive connection. The AI Act focuses on regulating high-risk AI systems, while the GDPR governs the use of personal data, including AI-driven profiling and automated decisions. For developers whose systems fall under both regulations, there is no clear guidance on compliance, complicating adherence and generating uncertainty.
Startups Get Mentioned, but Support Remains Limited
Both the Action Plan and GDPR reforms propose easing the compliance burden on small companies, promising “simplified compliance” and reduced paperwork for SMEs. However, in reality, these supports primarily manifest as documentation and help desks rather than tangible funding or legal assistance.
OpenAI highlights that for startups, particularly those developing high-risk or foundational models, advisory supports are often insufficient. The organization recommends dedicated legal support and easier access to public funding to enable smaller players to operate effectively within regulated environments.
Foundation Models Don’t Fit into the Current Legal Framework
The AI Act categorizes AI systems by risk level at the point of creation, which does not adequately address foundation models, which are general-purpose and can evolve based on user fine-tuning or deployment. These models may transition to high-risk status post-deployment, yet the law does not account for this evolution.
OpenAI advocates for adaptive regulation and sandbox environments that allow policymakers to monitor these models in use. Unfortunately, the Action Plan and GDPR revisions do not engage with this pressing issue.
Why This Matters
The European Commission and OpenAI share a clear vision for AI development in Europe, highlighting the importance of infrastructure, data access, and responsible regulation. However, this shared understanding has not yet translated into a cohesive legal framework.
Gaps in enforcement, conflicting privacy regulations, and the absence of a clear regulatory approach for foundation models hinder the effective implementation of the EU’s AI plans. For India and other nations still formulating AI policy, this situation serves as a cautionary tale about the dangers of developing infrastructure and regulation in isolation.
Note: The headline and certain paragraphs have been edited for clarity based on editorial inputs.
