Swedish Privacy Regulator Takes on One of AI’s Most Persistent GDPR Questions

Key Takeaways

• Responsibility Follows Decision-Making Authority: IMY's central conclusion is that GDPR responsibility depends less on the technology being used and more on who determines why personal data is processed and how it will be used.
• Product Development Can Trigger Controller Status: Suppliers that fine-tune AI models using personal data for their own product development will generally be considered data controllers, carrying primary GDPR obligations.
• Customer Instructions Point Toward Processor Roles: When suppliers fine-tune AI models on behalf of a customer and according to that customer's instructions, they will typically be treated as data processors rather than controllers.
• AI Projects Are Exposing Governance Gaps: The report addresses a practical challenge many organizations face as AI development blurs traditional lines of responsibility between vendors and customers, particularly during model customization and deployment.
• GDPR Remains Central to AI Governance: While attention has largely focused on the EU AI Act, IMY's guidance underscores that many of today's AI governance questions are still fundamentally GDPR questions involving accountability, purpose, and control over personal data.

Deep Dive

A Swedish startup called Eggsplain spent the spring working with the country's privacy regulator on a question that has become surprisingly difficult to answer. When an AI supplier fine-tunes a model using personal data, who is actually responsible for that data?

The answer sounds like it should be straightforward. Under the General Data Protection Regulation (GDPR), every processing activity is supposed to have clearly defined roles. In practice, AI development has made those lines harder to draw. Suppliers customize models. Customers provide data. Development happens collaboratively. Responsibilities that looked clear on paper begin to blur once a project gets underway.

The Swedish Authority for Privacy Protection (IMY) recently published the results of a pilot project aimed at bringing some order to that uncertainty. The report examines situations that are becoming increasingly common across the AI market. A supplier starts with a pre-trained model and fine-tunes it using personal data. Sometimes the work is performed to improve the supplier's own product. Sometimes it is carried out for a customer. Sometimes both parties are involved in shaping the final system.

The regulator's conclusion is less about artificial intelligence than it is about a principle that sits at the heart of GDPR. Why is the data being processed, and for whose benefit? If a supplier decides on its own initiative to fine-tune a model with personal data as part of developing or improving its product, IMY says the starting point is that the supplier acts as a data controller. The supplier is making decisions about the purpose of the processing and bears the responsibilities that come with that role.

The situation changes when the same supplier performs the work on behalf of a customer.

"If the fine-tuning is instead done on behalf of a specific customer and according to the customer's instructions, it normally means that the supplier is a data processor," David Suh, the project's manager, said in the report.

Controller status brings with it the primary burden of GDPR compliance. Controllers must establish a lawful basis for processing, satisfy transparency requirements, respond to data subject rights requests, and demonstrate accountability for the decisions they make. Processors have obligations as well, but they operate under the instructions of the controller.

For companies building AI products, the difference is substantial. It determines who carries legal responsibility when personal data enters the development process.

A Practical Problem, Not a Theoretical One

The report arrives at a moment when many organizations are discovering that deploying AI is often easier than determining who is responsible for it.

Sweden has become home to a growing number of companies developing their own AI solutions. At the same time, organizations frequently report uncertainty about how existing privacy rules apply once models are customized, retrained, or adapted using personal data. That uncertainty has consequences, contract negotiations take longer, responsibilities are debated late in projects, and legal teams find themselves trying to retrofit governance structures after technical decisions have already been made.

IMY's project with Eggsplain was designed to address exactly that problem. Rather than revisiting broad debates about AI regulation, the work focused on how GDPR's existing framework applies when organizations adapt AI systems using personal data.

The regulator's answer is notable for what it does not do. It does not attempt to create a new category for AI. It does not suggest that AI development requires a different interpretation of GDPR. Instead, it returns repeatedly to the same idea that has shaped European privacy law for years, which is that responsibility follows decision-making authority.

Much of the discussion surrounding AI governance in Europe has centered on the EU AI Act, with organizations trying to understand new obligations that will emerge over the coming years. Yet many of the questions companies face today are not really AI Act questions. They are GDPR questions.

Who determines the purpose of the processing? Who decides how personal data will be used? Who benefits from that use? Those questions existed long before generative AI. They remain the questions regulators are asking now.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.