HEREDITARY Holds 3rd Legal Workshop on GDPR and Data Protection on AI Models

On 18 September 2025, KU Leuven, leader of the HEREDITARY Project’s Legal Work Package (WP7), hosted the third Legal Workshop focusing on two relevant questions:

1. When AI models are to be considered anonymous?
2. What does the GDPR (and related guidance) say about data protection of AI models in healthcare?

The session, led by Elisabetta Biasin from the KU Leuven Centre for IT & IP Law (CiTiP), explored the latest opinion of the European Data Protection Board (EDPB) on the processing of personal data in the context of AI models. This guidance is particularly relevant for healthcare-related AI Models, such as those developed within HEREDITARY.

The session began with the definition of some basic concepts that had already been discussed in previous workshops: personal data, sensitive data, identifiability, and anonymous/pseudonymous data. The legal foundations regulating these concepts in the European Union are the AI Act and the GDPR.

A key takeaway was the EDPB’s position that AI models trained on personal data cannot automatically be considered anonymous. Instead, their status must be assessed case by case, taking into account the risk of regurgitation and extraction of the personal data used in the training, even unintentionally. Participants discussed scenarios in which anonymisation could be achieved, as well as the technical and organisational safeguards required to reduce identification risks.

The discussion highlighted the complexity of ensuring compliance: while some argued that neural networks typically abstract away personal identifiers, others pointed out that research has shown it is possible to reconstruct sensitive information from trained models. This underlines the importance of rigorous testing, documentation, and risk assessment throughout an AI model’s lifecycle.

The discussion also touched on the intersection of GDPR and the new EU AI Act, both of which set obligations for developers and users of AI systems. For HEREDITARY, these insights are not only theoretical but directly influence how the project designs and tests its AI tools for healthcare applications.

The workshop concluded with a forward-looking perspective: evaluating anonymity in AI is challenging but essential and posible, and further research is needed in areas such as anonymisation techniques, cybersecurity, and laws compliance.