Generative AI is quickly becoming a staple for businesses, with 78% now using it in some capacity. This marks a significant increase, up from 65% in 2024. However, data privacy protections haven’t quite kept pace with this rapid adoption. In fact, cross-border AI-related data breaches caused by the misuse of GenAI across international borders are expected to account for 40% of all breaches by 2027. A new Gartner forecast reveals this trend.
The root of the problem is that GenAI tools typically learn from internet data and run on cloud infrastructure. This can put them at odds with data localisation laws that require data to be stored and processed within a set region. Although rules have recently been introduced in the EU and the U.S. to help cover these gaps, businesses can stay ahead. They can update their data policies to include responsible GenAI use.
Table of Contents
How EU and U.S. Data Regulations Impact GenAI
Now that genAI is playing a bigger role in business, regulators worldwide have started to provide more clarity on how data protection laws relate to its use. For instance, in a recent decision, the European Data Protection Board announced that using personal data for AI training is acceptable and in line with GDPR (the General Data Protection Regulation). This is the case as long as the final product itself doesn’t disclose any sensitive information. The same goes for cross-border data — if an international AI model is trained on and stores EU personal data, it must comply with GDPR rules on handling and processing that data fairly.
Meanwhile, the U.S. has also introduced the 2025 Final Rule. It aims to limit the transfer of personal information to certain countries of concern, like China and Russia. This potentially affects U.S. businesses that may use overseas services to train or operate AI models. Under this law, sensitive personal data (which includes location, health, and financial data) is entirely off limits from being shared with these countries.
Training Data Can Expose Personal Information
Developers rely on massive datasets to train their GenAI models, many of which are pulled from the public internet. It’s therefore inevitable that this data often includes “personal data” that can be used to identify people. For example, researchers were able to identify a man in a naked photo and even pinpoint the specific address of where a baby’s picture was taken. They achieved this by analyzing the open-access LAION dataset. If genAI inadvertently memorizes and reproduces identifying information about people, this naturally opens up the door to serious security risks. For example, data leaks can potentially give hackers enough details to target customers, impersonate employees, or launch cyberattacks. These can successfully bypass a business’s security measures.
On top of security worries, there are also legal issues to think about. With different countries having their own data privacy laws, businesses need to be extra careful. They should ensure whether and how their data is transferred or stored by GenAI overseas. Cross-border data transfers can be a regulatory minefield. What’s allowed in one country may be off-limits in another. So, businesses must be aware of the laws in all the regions where their data is handled. Staying compliant is crucial to avoid big fines or penalties and maintain trust with customers.
GenAI Data Privacy: A Cross-Border Responsibility
While businesses are largely responsible for data privacy, it’s also up to all genAI users to be proactive and keep their data safe. This is particularly important when you consider that a whopping 70 million Americans share private information with OpenAI’s ChatGPT. But something as simple as reviewing data privacy settings can protect AI users and their personal information. “OpenAI’s privacy policy states that content you submit can be used to improve its models unless you opt out through settings,” explains Dray Agha, Security Operations Manager at Huntress. It’s just that users often aren’t aware they have the option to stop their data from being used to train the tool. Or even that OpenAI does this with their chats.
This also means it’s a good idea for people to be careful with what they share with GenAI tools altogether. Names, addresses, passwords, financial information, and health information — all these are best kept private. Instead, save the tools for everyday questions or tasks, or those that don’t involve private or sensitive details.
AI-Specific Risk Assessments for Businesses: Focus on Data Lineage
Gartner also advises businesses to include AI-specific risk assessments in their data privacy policies to avoid cross-border GenAI risks. To do this, you need to pay close attention to data lineage. It starts with where the model’s training data comes from. You don’t want to use outputs that come from training on untrusted or sensitive data. This can open your business up to costly compliance risks. So, to avoid this issue, ask your GenAI provider if their training data is sourced from trusted places that have explicit user consent.
Also, regularly contact providers to check exactly where your data is listed and processed. Knowing the physical or cloud storage locations will help you understand if you’re complying with relevant privacy regulations like GDPR or the California Consumer Privacy Act, for instance.
If it turns out your data is being sent across borders, be aware of what that means for your legal obligations. Different countries have different data protection laws, so you may need to adjust your business’s data handling practices. For instance, you might need to ask for extra permission from customers or add stronger security controls to limit which employees can access and handle the data. If you do discover that the tool doesn’t meet local privacy laws, you’ll need to stop using it altogether. Move on to something else. The same also applies if it doesn’t comply with laws in any region where your data is stored or processed.
With GenAI adoption on the rise across all industries, cross-border privacy risks are a growing concern. Businesses should act now to include AI in their data governance policies. This is important as governments continue to create new laws to further tackle these issues.
