出海歐洲 | GDPR修訂前瞻（二）：為AI訓練開綠燈？“合法利益”條款如何賦能中國AI企業？

歐盟的這些最新動態為中國AI企業帶來了機遇，也提出了新的挑戰。

Article 6(1)(f) of the GDPR stipulates that a data controller may lawfully process personal data if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided such interests are not overridden by the fundamental rights and freedoms of the data subject. This clause offers a flexible legal basis for data processing beyond “consent,” especially for data processing activities for which it is difficult to obtain explicit consent for but hold significant commercial or social value.

To rely on legitimate interest as a legal basis, data controllers must undergo a “three-step test”:

1. Purpose Test: The pursued interest must be genuine, explicit, and lawful.

   
   

2. Necessity Test: The data processing must be necessary to achieve that legitimate interest and cannot be realized through other means that would have less impact on the data subject’s privacy.

   
   

3. Balancing Test: A balance must be struck between the data controller’s legitimate interests and the rights and freedoms of the data subjects, ensuring that the latter’s interests are not unreasonably harmed.

EU regulators and Data Protection Authorities (DPAs) have issued a series of guidelines and opinions regarding the applicability of legitimate interest in AI training, demonstrating a trend of balancing strict regulation with fostering innovation:

• European Data Protection Board (EDPB) Opinion: In the opinion released in December 2024, the EDPB clearly stated that AI model development and deployment can rely on legitimate interest as a legal basis under the GDPR. However, it emphasized that companies must conduct case-by-case legitimate interest assessments (LIAs) and implement appropriate privacy safeguards, such as data minimization, pseudonymization, and measures to prevent leakage of personal data in model outputs.

  
  

• French National Commission on Informatics and Liberty (CNIL) Guidance: CNIL’s guidance issued in June 2025 further clarifies that data scraping from public sources for AI training can be based on legitimate interest under specific conditions—such as respecting the website’s robots.txt protocol, avoiding platforms targeting minors, and excluding highly sensitive data. CNIL also noted that even when the model architecture makes direct deletion or objection of individual data difficult, alternative solutions like output filtering and audit trails can be employed to respect data subject rights.

  
  

• “Digital Comprehensive Act” Proposal: In November 2025, the European Commission proposed the “Digital Comprehensive Act,” aiming to revise EU digital regulations including the GDPR. The proposal explicitly introduces Article 88c to the GDPR, stipulating that personal data processing for the development and operation of AI systems may be based on legitimate interest under specific conditions and without harming data subject interests.

The “Digital Comprehensive Act” proposal also introduces new exemptions under Article 9 of the GDPR, allowing the processing of sensitive data for AI development and operation under certain conditions and safeguards. This addresses the practical issue that large AI training datasets inevitably contain some sensitive data. For example, health information included in text corpora may be permitted if minimization and protective measures are in place. It is important to stress, however, that this does not constitute a “blank check”; explicit consent remains required when AI systems specifically process health or biometric data.

The proposal further broadens the definition of “anonymized” data, potentially excluding more data processing activities from GDPR’s scope. Nonetheless, companies relying on anonymized data must remain vigilant against re-identification risks through re-identification attacks.

1. Enhanced Legal Certainty: The EU’s explicit inclusion of AI training under legitimate interest provides Chinese companies with a clearer legal basis for conducting AI business in the EU market, reducing compliance uncertainties.

   
   

2. Facilitated Data Access: Under the conditions and safeguards proposed by CNIL and other DPAs, Chinese companies can more flexibly use public data for AI model training, helping reduce data acquisition costs and improve model efficiency.

   
   

3. Flexibility in Sensitive Data Processing: The limited allowance for processing sensitive data unavoidable in AI training helps improve model accuracy and robustness, especially in data-quality demanding fields like healthcare and finance.

• Strict Compliance Requirements Remain: Despite some relaxation, core GDPR requirements such as legitimate interest assessments, data minimization, safeguards, and data subject rights remain unchanged or are even strengthened (e.g., the right to object is reinforced as “unconditional”). Chinese enterprises need to invest more resources to develop comprehensive compliance systems.

  
  

• Fragmented Cross-border Regulation: Variations in interpretation and enforcement of legitimate interest among EU member states’ DPAs, combined with overlapping legal frameworks such as the AI Act and copyright law, continue to complicate the compliance environment. Chinese companies must pay close attention to specific requirements in different member states.

  
  

• Technical and Managerial Challenges: Implementing pseudonymization, anonymization, output filtering, and establishing robust internal compliance processes including Data Protection Impact Assessments (DPIAs) pose higher demands on enterprises’ technical and management capabilities.

To effectively respond to the opportunities and challenges brought by the GDPR revision, Chinese AI companies should adopt the following compliance strategies:

1. Establish Robust Legitimate Interest Assessment Mechanisms: Strictly follow the EDPB’s three-step approach—purpose test, necessity test, and balancing test—for all AI data processing activities based on legitimate interest. Document the assessment process thoroughly to prepare for regulatory inspections .

   
   

2. Enhance Data Protection Measures: Implement comprehensive technical and organizational safeguards such as data minimization, pseudonymization, and anonymization throughout all stages of AI model training and deployment. When processing sensitive data, apply state-of-the-art security and privacy protections including strict access controls, logging, and regular data deletion.

   
   

3. Respect Data Subject Rights: Ensure effective guarantees of data subjects’ rights to information, objection, and deletion. Even when direct deletion is difficult due to model architecture, provide alternative solutions like output filtering, audit trails, or suppression logic records.

   
   

4. Monitor Multiple Legal Frameworks: Beyond GDPR compliance, Chinese AI companies must also closely follow relevant EU regulations such as the AI Act, copyright law, and Digital Services Act to ensure comprehensive compliance. For example, when scraping public data, also consider copyright and database rights and respect platform terms of service.

   
   

5. Maintain Continuous Monitoring and Adaptation: Keep abreast of the latest guidelines and case law issued by the European Commission, EDPB, and national DPAs, and timely adjust internal compliance strategies and technical implementations. The fast evolution of AI technology requires privacy and compliance strategies to remain flexible and forward-looking.