Artificial intelligence is reshaping how organizations operate, make decisions, and interact with individuals. At the same time, it is redefining expectations around ethics, accountability, and trust. Long recognized as a fundamental right and a core compliance requirement, privacy has now become a structural pillar of AI governance. To enable responsible and sustainable AI, privacy must be embedded throughout the entire AI lifecycle. From design and training to deployment, oversight, continuous improvement, and decommissioning.
A fragmented but converging global landscape
The global regulatory landscape for AI and privacy remains fragmented. International bodies such as the OECD, United Nations, G7, and Council of Europe have promoted shared principles emphasizing transparency, accountability, human rights, and security. However, the way these principles are translated into binding rules varies significantly across regions.
Europe has emerged as a regulatory benchmark through the combined effect of the General Data Protection Regulation (GDPR) and the EU Artificial Intelligence Act (AI Act). Together, they establish a risk‑based and rights‑focused framework that integrates data protection with AI governance requirements such as impact assessments, accountability, and human oversight. Other regions follow different paths. The United States relies on state‑level privacy laws and sector‑specific enforcement, Asia‑Pacific jurisdictions range from China’s strict regulatory approach to voluntary or principles‑based models in countries such as Japan and Singapore. Latin America, Africa, and the Middle East are progressing at different speeds, often using data protection as an entry point for broader AI governance.
Despite these differences, a global convergence is emerging around core values. Transparency, non‑discrimination, robustness, security, and human oversight are increasingly recognized as essential to trustworthy AI. At the same time, regulatory fragmentation raises compliance costs and operational complexity for organizations operating across borders, reinforcing the need for coherent internal governance frameworks.
GDPR and the AI Act: A complementary governance model and the Belgian DPA perspective
Across Europe, supervisory authorities are increasingly framing AI regulation not as a departure from existing data protection law, but as its continuation. This perspective is clearly reflected in guidance from the Belgian Data Protection Authority (DPA),[1] which clarifies how the GDPR applies to artificial intelligence systems and how these obligations interact with the AI Act.
Rather than introducing entirely new concepts, the guidance positions AI regulation as an operationalization of GDPR principles across the AI lifecycle. Privacy, accountability, and risk management are not replaced by the AI Act. They are reinforced and extended.
Importantly, the Belgian DPA adopts a lifecycle‑based approach to compliance. Data protection obligations are expected to apply from the earliest stages of system design and training, through deployment, monitoring, and eventual decommissioning. Compliance is therefore not something to be addressed only at the point of use, but a continuous responsibility embedded into AI development and operation.
From the supervisory perspective, the Belgian DPA positions GDPR compliance not as a legacy obligation, but as a structural enabler of lawful and trustworthy AI. Organizations that have embedded privacy by design, accountability, and risk management under the GDPR are better placed to meet the requirements of the AI Act and to deploy AI systems in a responsible and sustainable manner.
This approach mirrors wider international developments. Most high‑risk AI use cases involve the processing of personal data, meaning that many AI risks, such as bias, lack of transparency, or unfair outcomes, ultimately stem from how data is collected, used, and governed. Embedding privacy therefore directly supports broader AI objectives, including fairness, explainability, and accountability.
Operationalizing privacy across the AI Lifecycle
Embedding privacy in AI requires moving from principles to concrete practices at each stage of the lifecycle.
At the design and training stage, key priorities include data minimization, documentation of training sources, bias prevention, and the use of anonymized, pseudonymized, or synthetic data where possible. Early testing and validation help prevent downstream risks and costly remediation.
During deployment and production, organizations must ensure robust security controls, traceability, and transparency towards users. As AI systems are retrained or adapted, legal bases and consent requirements should be reassessed, and renewed where necessary.
Continuous oversight and monitoring are essential as AI systems evolve and contexts change. Meaningful human oversight remains critical, particularly for automated decision‑making affecting individuals. Finally, responsible decommissioning ensures that data, documentation, and residual risks are handled appropriately when systems are retired.
From abstract principles to supervisory expectations
In the broader European context, the Belgian DPA’s guidance illustrates how supervisory authorities are moving beyond abstract principles towards operational expectations for AI. By framing GDPR and AI Act obligations as structurally linked and lifecycle‑wide, the guidance offers a practical lens on how privacy and AI governance are expected to converge in practice.
Ultimately, embedding privacy across the AI lifecycle is not only about regulatory compliance. It is about building trust and ensuring that AI systems are legitimate, resilient, and aligned with fundamental rights, and that innovation remains responsible and sustainable.
