The European Union’s Artificial Intelligence Act (AI Act) is here to reshape how AI systems are developed and utilized. The Act clarifies that compliance with it can only be achieved if existing European data protection, cybersecurity, and fundamental rights are respected.

When developing or training AI systems, personal data is not left untouched, triggering compliance with data protection laws as a result. While the Act intersects data protection laws at numerous points, anonymization of data, especially data masking and obfuscation, emerges as a key mechanism in easing compliance with the data management obligations of the EU AI Act.

This article sheds light on the EU AI Act, the interplay between the GDPR and the EU AI Act, and how operators of AI systems, especially high-risk, can employ anonymization to ensure AI compliance.

EU AI Act: The first comprehensive regulation on AI

The EU introduced its first comprehensive regulation on artificial intelligence, called the EU AI Act, on August 1, 2024, across all 27 member states. The Act encourages the development of trustworthy artificial intelligence while mitigating its adverse effect on the EU’s ethical values, fundamental rights, and safety.

The new AI law adopts a risk-based approach to regulation, classifying AI systems into four categories—unacceptable, high, limited, and minimal. Requirements and obligations for each category vary and are set to come into effect under a phased rollout, the majority of which are set to apply by 24 months from the date of entry into force.

Non-compliance with the Act can result in penalties between EUR 7.5 million or 1.5% of worldwide annual turnover and EUR 35 million or 7% of worldwide annual turnover. The lower tier typically applies to less severe violations, such as failure to cooperate with authorities. The higher tier applies to serious violations, such as deploying prohibited AI systems. Article 2 of the Act outlines obligations on different operators in the AI supply chain with a link to the EU market irrespective of their location as long as they develop, market, or use AI systems that affect individuals within the EU. 

Interplay between the EU AI Act and the GDPR

The EU AI Act mentions the EU GDPR, Regulation (EU) 2016/679, 30 times throughout its 180 recitals and 113 articles. This frequent mention is expected, given AI models are trained on datasets that quite often include the personal data of individuals. Databases containing identifiers such as name, location data, human faces, and driving license plate numbers are considered personal data under the GDPR.

Whenever personal data is used in the development or deployment of an AI system, companies must navigate the potential overlap between the two regimes to ensure compliance and avoid penalties. While the GDPR focuses on the protection of personal data, the EU AI Act applies to both personal and non-personal data. Although their approaches differ, organizations must carefully map out their obligations to determine which of their operations are governed by the GDPR, the EU AI Act, or both.

Role of anonymization in EU AI Act compliance

Article 10(5) of the EU AI Act mandates that training, validation, and testing datasets shall be subject to data governance and management practices appropriate for the intended purpose of the high-risk AI system, particularly to ensure bias detection and correction. Article 2(7) clarifies that the application of the EU AI Act shall not affect Regulation (EU) 2016/679 (GDPR) or Directive 2002/58/EC (ePrivacy Directive), without prejudice to Articles 10(5) and 59.

Article 59 outlines rules on the processing of personal data for developing high-risk AI systems, establishing requirements for AI providers and deployers to comply with existing data protection laws. Here, ensuring that an AI system is fair and unbiased will therefore also require compliance with relevant GDPR requirements, including lawfulness, fairness, and transparency (Article 5(1)(a)); data minimization (Article 5(1)(c)); accuracy (Article 5(1)(d)); processing of special categories of personal data (Article 9); rights of data subjects (Articles 12–22); and security measures (Article 32). 

Article 9 of the GDPR is particularly relevant when processing special categories of personal data, such as genetic and biometric data, which is prohibited by the law. However, under Article 6 GDPR, processing may be lawful if it does not infer sensitive attributes and appropriate anonymization techniques are applied to render data unidentifiable (Recital 26). In such cases, the restrictions of Article 9 may not apply.

The EU AI Act bans the use of AI systems (Article 5) that involve prohibited AI practices, such as real-time biometric identification for mass surveillance in public spaces; and untargeted scraping of facial images from the internet or CCTV for facial recognition databases. In this regard, the first requirements of the EU AI Act, banning prohibited AI practices, came into effect on February 2, 2025.

Article 6 of the EU AI Act describes the thresholds for classifying AI systems as high-risk. The Act, in Annex III, specifies eight different contexts that are generally considered high-risk, such as critical infrastructure management (e.g., AI-driven traffic management systems) and biometric identification systems that are not prohibited (e.g., recognizing fingerprints or irises at border controls). 

To meet the requirements for high-risk AI systems, especially when biometric, genetic, or, in general, other sensitive data are used to train the AI models, AI developers can employ anonymization, encryption, or pseudonymization techniques. This ensures compliance with:

• Data governance & management (Article 10), which requires appropriate technical and organizational measures (TOMs) to minimize risks. For example, a health-tech company collects data from hundreds of patients containing their facial features to develop and train a high-risk AI system that diagnoses skin diseases. Here, blurring facial features helps AI developers prevent the over-collection of data (ensuring only the skin part is exposed) and reduces the risk of identifying individuals, thereby protecting their privacy and data protection rights.
• Accuracy, robustness, and cybersecurity (Article 15), which requires AI systems to be technically robust and resistant to manipulation. Anonymization, in this case, can help developers reduce the risk of unauthorized access and cyber risks.
• Fundamental rights impact assessments (FRIA), which require deployers of high-risk AI systems to assess their impact on fundamental rights. If the system processes personal data, anonymization techniques can be applied to reduce risks of non-compliance with GDPR. When data is properly anonymized in an irreversible manner, it is considered non-personal under the GDPR. So when AI developers and deployers conduct FRIA (Article 27) or conformity assessments (Article 43), they mitigate the risk of violating fundamental rights and must prove that the risk of re-identification is at a bare minimum.
• Recital 59 highlights the necessity of the right to privacy and guaranteeing protection of personal data throughout the entire lifecycle of the AI system, requiring consideration for GDPR principles such as data protection by design and default. It means that, for example, when an automotive company records streets to build datasets to train autonomous vehicles or assisted driving systems (ADAS), the data needs to be anonymized (faces and license plates in the recordings blurred).

Enabling AI compliance with Gallio.pro’s advanced anonymization

The EU AI Act outlines strict requirements for personal data processing in AI system training. It will undoubtedly have a profound effect on how AI developers balance data privacy protection with preserving the critical data necessary for AI training. Gallio.pro excels in masking personally identifiable data, such as license plates and faces, allowing you to uphold AI model performance while complying with privacy regulations. Our anonymization solutions can help you meet the stringent requirements for high-risk AI systems, mitigating the risk of legal and regulatory complications.