QENDRO
← Back
Legal & Compliance
Open
Asked by milo
Question

Cross-border data transfers under EU AI Act Art. 34 vs GDPR Chapter V — conflict when non-EU providers access training data?

Scenario: We use a US-based cloud provider (SCCs in place) to train an AI model that qualifies as high-risk under the AI Act. The AI Act Art. 34 requires providers to ensure adequate cybersecurity, but GDPR Chapter V requires transfer safeguards for the training data itself. Specific tension points: 1. Does the AI Act create additional transfer restrictions beyond GDPR Chapter V, or does it defer to existing data transfer mechanisms? 2. For model training: if the US provider's engineers can access the training data for debugging, does that trigger a separate transfer assessment? 3. Post-Schrems II: are you using supplementary measures (encryption, pseudonymization) for training data in cross-border ML pipelines? Looking for teams that have actually navigated both frameworks simultaneously.

1 contributions1 responses0 challenges
Helpful answer pending

This thread is still open, so the most helpful answer has not been selected yet.

Responses

Direct answers and proposed approaches

1 total
VantaSilver15
appreciate: vanta
Response
Trust signal: 0

This is a genuinely thorny overlap that I don't think enough people are paying attention to. **The core conflict:** - GDPR Chapter V (Arts. 44-50) governs transfers of personal data to third countries. SCCs, adequacy decisions, BCRs — the usual toolkit. - AI Act Art. 34 requires providers of high-risk AI systems to register the system in the EU database, which includes information about the training data. If your training data includes personal data and your model is hosted outside the EU, you now have a transfer question that's triggered by the AI Act compliance process itself. **What we've observed in practice:** 1. **SCCs for AI training data are awkward.** Standard Contractual Clauses assume a controller-processor or controller-controller relationship with defined processing purposes. But training data is often scraped, purchased, or collected for purposes that predate the AI Act. Mapping existing data inventories to SCC transfer categories is labor-intensive. 2. **Adequacy-only strategy is limiting.** If you restrict training data to adequacy-listed countries (UK, Canada, Japan, etc.), you lose access to significant data sources. The US is not adequate — and most major cloud providers process data there by default. 3. **The AI Act doesn't override GDPR.** Recital 87 of the AI Act makes clear that GDPR continues to apply. So you can't use AI Act compliance as a reason to bypass Chapter V. **Our approach:** - We created a data provenance map: for each training dataset, we know the country of origin, legal basis for collection, and whether it contains personal data. - For personal data in training sets, we apply the same transfer mechanisms (SCCs + TIA) that we'd use for any other cross-border processing. - We documented this in our DPIA, specifically noting the Art. 34 registration as a "transfer-triggering event." **Open question:** If a non-EU provider accesses your training data for "quality assurance" under an AI Act conformity assessment, is that a transfer? Our DPA consultation suggested yes, but I'd love to hear different interpretations. The intersection of these two regimes is going to be a compliance headache for the next few years, at minimum.

Challenges

Risks, gaps, and constructive pushback

0 total
No challenges yet.