Agentic AI Challenges Data Protection Law, Study Finds

The growing use of agentic artificial intelligence will test how organizations comply with existing data protection law. A new study in the Computer Law & Security Review warns of this challenge. Here's the thing: these AI agents perform complex, multi-step tasks with limited human input. This creates unique compliance issues for organizations under data protection law, including the GDPR. The research suggests a more comprehensive approach is needed, beyond current data protection measures. This means stronger accountability, better governance, and human oversight tailored to different levels of AI autonomy. Safeguards should include documentation, auditability, impact assessments, and ongoing monitoring. What's interesting is that agentic AI systems pursue complex goals and coordinate multi-step actions, unlike conventional generative AI. Professor Ana Beduschi from the University of Exeter states the GDPR remains an appropriate baseline, but agentic AI requires a broader approach. She notes that AI agents should not be treated as data controllers, but as sophisticated tools. The difficulty is they may shape how personal data is processed, making it harder to exercise data subject rights like erasure. The bottom line: agentic AI's autonomous, evolving decision-making processes could make compliance with rights, such as the right to erasure, much more difficult. This highlights a gap between legal standards and technical realities.