Author
Listed:
- Georgios Feretzakis
(School of Science and Technology, Hellenic Open University, 26335 Patras, Greece)
- Evangelia Vagena
(Athens University of Economics and Business, 10434 Athens, Greece)
- Konstantinos Kalodanis
(Department of Informatics and Telematics, Harokopio University of Athens, 17676 Kallithea, Greece)
- Paraskevi Peristera
(Division of Psychobiology and Epidemiology, Department of Psychology, Stockholm University, 10691 Stockholm, Sweden)
- Dimitris Kalles
(School of Science and Technology, Hellenic Open University, 26335 Patras, Greece)
- Athanasios Anastasiou
(Biomedical Engineering Laboratory, National Technical University of Athens, 15780 Athens, Greece)
Abstract
Large Language Models (LLMs) have revolutionized natural language processing but present significant technical and legal challenges when confronted with the General Data Protection Regulation (GDPR). This paper examines the complexities involved in reconciling the design and operation of LLMs with GDPR requirements. In particular, we analyze how key GDPR provisions—including the Right to Erasure, Right of Access, Right to Rectification, and restrictions on Automated Decision-Making—are challenged by the opaque and distributed nature of LLMs. We discuss issues such as the transformation of personal data into non-interpretable model parameters, difficulties in ensuring transparency and accountability, and the risks of bias and data over-collection. Moreover, the paper explores potential technical solutions such as machine unlearning, explainable AI (XAI), differential privacy, and federated learning, alongside strategies for embedding privacy-by-design principles and automated compliance tools into LLM development. The analysis is further enriched by considering the implications of emerging regulations like the EU’s Artificial Intelligence Act. In addition, we propose a four-layer governance framework that addresses data governance, technical privacy enhancements, continuous compliance monitoring, and explainability and oversight, thereby offering a practical roadmap for GDPR alignment in LLM systems. Through this comprehensive examination, we aim to bridge the gap between the technical capabilities of LLMs and the stringent data protection standards mandated by GDPR, ultimately contributing to more responsible and ethical AI practices.
Suggested Citation
Georgios Feretzakis & Evangelia Vagena & Konstantinos Kalodanis & Paraskevi Peristera & Dimitris Kalles & Athanasios Anastasiou, 2025.
"GDPR and Large Language Models: Technical and Legal Obstacles,"
Future Internet, MDPI, vol. 17(4), pages 1-26, March.
Handle:
RePEc:gam:jftint:v:17:y:2025:i:4:p:151-:d:1623026
Download full text from publisher
Corrections
All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:gam:jftint:v:17:y:2025:i:4:p:151-:d:1623026. See general information about how to correct material in RePEc.
If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.
We have no bibliographic references for this item. You can help adding them by using this form .
If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.
For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: MDPI Indexing Manager (email available below). General contact details of provider: https://www.mdpi.com .
Please note that corrections may take a couple of weeks to filter through
the various RePEc services.