Agentic AI tests the limits of data protection law, study finds

The growing use of agentic artificial intelligence will test how organizations comply with existing data protection law, warns a study appearing in the Computer Law & Security Review.

Innovations will test the limits of existing rules, particularly when AI agents perform complex, multi-step tasks with limited human input. Agentic AI's distinctive features require a more comprehensive approach that extends beyond existing data protection measures alone, the research says.

The study argues that data protection compliance should be supported by stronger accountability mechanisms, governance measures, and forms of human oversight adapted to different levels of agentic AI autonomy. These safeguards should include documentation, auditability, impact assessments, and ongoing monitoring across the agentic AI lifecycle.

Unlike conventional generative AI, agentic AI systems are designed to pursue complex goals and coordinate multi-step actions, often with limited human input. This creates distinctive interpretative and compliance challenges for organizations subject to data protection law, including the GDPR.

The study, by Professor Ana Beduschi from the University of Exeter, argues that the GDPR remains an appropriate baseline for protecting personal data, but that the distinctive challenges posed by agentic AI require a broader approach involving governance, accountability, assessments of people's rights, and meaningful oversight.