Mariana Duarte
BARRILERO SPS
The growing adoption of generative artificial intelligence tools, such as ChatGPT or Microsoft Copilot, has profoundly transformed the way organizations and professionals interact with information. Their ability to generate content, analyze documents, and support decision-making processes in real time results in clear efficiency gains. However, this technological evolution also exposes a particularly sensitive and frequently underestimated legal risk: the loss of control over the confidentiality of information. This risk must be analyzed in light of the applicable European regulatory framework, in particular the General Data Protection Regulation (GDPR) and the Artificial Intelligence Act (AI Act), whose interaction reinforces the need for a preventive, structured, and risk-based approach.
From the GDPR perspective, confidentiality plays a central role. Under Article 5(1)(f), personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing. This principle is further reinforced by Article 32, concerning appropriate technical and organizational measures. In addition, the rules governing international data transfers (Articles 44 et seq.) become particularly relevant in the context of using technology providers established outside the European Union.
Within this framework, the use of generative AI tools raises critical issues. Entering data through prompts may involve disclosure to third parties, often without users being fully aware of the legal implications. Such use may amount to an unlawful disclosure of personal data, an unauthorized international data transfer, or, in certain cases, a personal data breach within the meaning of Article 4(12) GDPR.
The open and decentralized nature of these technologies aggravates this risk. In practice, employees use these tools to support everyday tasks — from analyzing résumés to reviewing contracts — by entering information that may include personal data, sensitive content, or strategic information. This reality creates a difficult-to-control risk zone and may compromise compliance with the accountability principle established in Article 5(2) GDPR.
These risks are compounded by the opacity inherent in AI systems, particularly regarding the storage, access, and potential reuse of the information entered, thereby limiting organizations’ ability to scrutinize such processing. It is in this context that the AI Act becomes particularly relevant, as it reinforces these concerns by imposing obligations relating to transparency, documentation, governance, and risk mitigation, depending on the classification of the relevant system or model. These obligations apply especially to general-purpose AI models and, more stringently, to models presenting systemic risk.
In this context, particular attention should be given to the publication by the European Commission on 10 July 2025 of the Code of Conduct for General-Purpose AI Models, a voluntary instrument intended to support compliance with the obligations established under the AI Act, particularly those set out in Articles 53 and 55. Although it does not constitute automatic proof of compliance, it serves as an important benchmark for implementing appropriate governance practices.
From the perspective of confidentiality, the Code is especially significant because it:
- requires the maintenance of up-to-date technical documentation while simultaneously ensuring the protection of trade secrets, intellectual property, and confidential information, as well as the adoption of appropriate cybersecurity measures;
- imposes a continuous approach to risk assessment and mitigation, including risks to fundamental rights such as privacy and personal data protection, especially in the case of models with systemic risk;
- establishes safeguards to prevent access to or processing of sensitive or confidential data in violation of EU law, including in evaluation or monitoring contexts.
Beyond personal data, the use of AI tools may also compromise the protection of trade secrets, insofar as the disclosure of strategic information or know-how may eliminate the requirement of confidentiality, with potentially irreversible consequences. A prudent approach is therefore required, based on clear internal policies, limitations on the input of personal and confidential data, and employee training.
At the same time, it is essential to evaluate providers according to criteria such as contractual terms, data protection guarantees, and data localization. Whenever applicable, organizations should also consider conducting Data Protection Impact Assessments (DPIAs), particularly where systematic or large-scale processing is involved. From a technical standpoint, preference should be given to solutions that minimize data exposure, such as anonymization or pseudonymization, as well as the use of controlled environments or enterprise versions of the tools.
In conclusion, generative AI represents a significant opportunity, but also a substantial risk in the fields of confidentiality and data protection. The principal challenge lies not in the technology itself, but in the lack of control over its use. In a context where the GDPR imposes high standards of protection and the AI Act reinforces a logic of risk management and governance, only a prudent, structured, and legally informed approach will allow innovation to be reconciled with the effective safeguarding of fundamental rights.
