Google faces EU investigation over AI data compliance

European privacy regulator, Data Protection Commission (DPC), has launched an inquiry into Google over its use of the personal data of users in the region, adding to the tech giant’s growing legal challenges.

In a statement, DPC said that the inquiry focuses on whether Google complied with obligations under GDPR to conduct a Data Protection Impact Assessment (DPIA) before processing personal data of EU or EEA individuals in developing its AI model, Pathways Language Model 2 (PaLM 2).

DPIA is a process designed to help data controllers identify and mitigate data protection risks associated with high-risk processing activities. It aims to ensure that the processing is necessary and proportionate and that adequate safeguards are implemented based on the identified risks.

The investigation is part of the DPC’s broader efforts to ensure generative AI adheres to privacy regulations.

Recently, the commission initiated court action and reached an agreement with social media platform X, requiring the company to stop using EU users’ personal data for AI training until they are given the option to withdraw consent.

This inquiry adds to Google’s mounting legal challenges. In August, a US District Court ruled that the search giant is a monopoly, stating it used its dominance in the online search market to suppress competition.

A separate trial focused on Google’s advertising business is also currently being conducted.

Impact on Google

Despite mounting regulatory concerns for Google, analysts do not expect the inquiry to have a significant short-term impact.

Priya Bhalla, practice director at Everest Group, noted that most large enterprises are aware of these issues and have taken internal measures to protect their AI initiatives.

These steps include investing in data and AI governance, limiting applications in high-risk areas, and using fine-tuned versions of large language models (LLMs), among others.

“Additionally, if we take a broader lens on this, enterprises understand that this is not the first company that has been put into the spotlight, and it’s not going to be the last, so I don’t see any goodwill impact for Google,” Bhalla added.

A likely scenario is Google following the example of X, who recently agreed to pause or stop using content from European users to train their models.

DPC’s impact on AI usage

In a recent blog post about large language models, DPC said that organizations using AI products based on personal data could be classified as data controllers and should consider conducting formal risk assessments.

The commission advised that before deploying an AI system, users should understand the personal data it processes, how it is used, whether third parties are involved, how long the data is retained, and how the product complies with GDPR obligations.

This means that while localizing the training of foundation models is crucial, transparency about the data used for training is becoming a baseline requirement.

“Enterprises racing to train their AI models using foundational models from Google or Meta may need to pause and assess compliance with user privacy and local regulations,” said Neil Shah, partner and co-founder at Counterpoint Research. “This could slow AI rollouts, especially in the EU, where businesses rely on tech giants with large-scale, advertising-driven models.”

Regulatory gray areas

Enterprises partnering with the likes of Google or OpenAI would prioritize regulatory compliance, which mainly addresses consent-based data collection. However, this creates a gray area of concern, according to Faisal Kawoosa, chief analyst at Techarc.

“Legally and technically, regulations may be followed,” Kawoosa said but added that users often face a dilemma – without consent, the service cannot be accessed, but with consent, their data is used, and they may not fully understand how.

 “It’s also tricky to establish in court that there are gaps in the way data is collected and used,” Kawoosa added. “Given this, enterprises will primarily look at whether regulatory compliances have been followed. They may also check if the best practices have been adhered to, but that’s the extent of what they can do.”