What AI governance services does Hoag Law.ai offer?

EU AI Act compliance, AI-related IP and output ownership, copyright risk in AI-generated code and content, open-source license exposure in AI-assisted codebases, and internal AI governance policies. AI output fundamentally changes how MSAs, SOWs, Terms of Service, and Privacy Policies need to be drafted.

What SaaS and technology contracts does Hoag Law.ai handle?

MSAs, NDAs, SaaS and licensing agreements, SLAs, and enterprise technology partnerships.

What privacy and AI compliance services are available?

GDPR and CCPA/CPRA compliance, AI data governance, HIPAA guidance for healthtech, Terms of Service, Privacy Policies, and DPA negotiation.

Who owns IP when your codebase is written by AI tools like Claude Code, Cursor, or v0?

Federal trademark registration, comprehensive clearance searches, and ongoing brand protection for startups. Hoag Law.ai also handles AI-generated code ownership, IP risk allocation in commercial contracts, derivative works analysis, and open-source license compliance. Trademark registration requires use in commerce, so file as soon as you are selling to the public. The process takes 8-12 months.

Everything you need to know about GDPR [UPDATED: February 20, 2026]

This is educational material and does not constitute legal advice nor is any attorney/client relationship created with this article, hence you should contact and engage an attorney if you have any legal questions.

GDPR Overview

For seven years, the European Union’s General Data Protection Regulation (GDPR) has fundamentally reshaped how the world thinks about privacy, and completely broken websites the world over with its dreaded, mandated cookie banners.

Since taking effect in May 2018, it has generated over €5.88 billion in fines, established Europe as the global privacy standard-setter, and forced every major technology company to rethink how they handle personal data.

But GDPR is far more than just a European regulation. Its extraterritorial reach means that if your business processes data from EU residents — whether through a website, app, or any digital service — you’re likely subject to its requirements. And with AI and machine learning creating new compliance challenges, understanding GDPR has become essential for any business leader operating in the digital economy.

However, GDPR’s complexity creates a compliance gap. Most small startups aren’t fully compliant; they’re either flying under the radar, doing bare minimum compliance, or completely ignoring it until they reach significant scale. But the stakes are real: GDPR violations can result in fines up to €20 million or 4% of global revenue, whichever is higher.

This article breaks down what GDPR actually means for businesses, how enforcement has evolved since 2018, and why the regulation’s intersection with AI represents the next frontier of data protection compliance.

The Foundation: What GDPR Actually Covers

GDPR applies to the processing of personal data — essentially any information relating to an identified or identifiable person. This includes obvious categories like names and email addresses, but extends to IP addresses, location data, online identifiers, and even pseudonymized data that could reasonably be traced back to individuals.

The regulation’s territorial scope is deliberately broad. It covers any organization established in the EU, regardless of where the data processing occurs. It also applies to organizations outside the EU that offer goods or services to EU residents or monitor their behavior. This “targeting criterion” has brought most global digital businesses within GDPR’s reach.

Recent enforcement demonstrates this expansive scope. In 2024, Clearview AI received a €30.5 million fine from Dutch authorities despite being a US-based company with no EU operations. The company’s scraping of images from social media platforms and its facial recognition services were deemed to violate GDPR’s biometric data protections. The Dutch authorities didn’t care that Clearview argued it wasn’t targeting Europeans — the processing necessarily included EU residents — and therefore triggered GDPR obligations. This case illustrates how GDPR’s extraterritorial application continues to surprise companies that assumed they were beyond European regulatory reach.

GDPR compliance hinges on five fundamental business considerations, but a company’s risk profile determines urgency:

High-Risk Companies (Immediate Priority):
B2B data processors handling other companies’ data
Financial services adjacent (insurance, fintech, etc.)
Companies with active EU expansion plans
Cross-border data flows with US vendors
Systematic monitoring or large-scale processing

The five considerations to consider include:

What types of personal data matter most for compliance risk? Basic identifiers like names and emails create standard obligations, but biometric data, location tracking, and behavioral profiling generate heightened scrutiny and larger fines. Meta’s €1.2 billion penalty for international data transfers and multiple sanctions for children’s data processing demonstrate how certain data categories attract disproportionate regulatory attention.
Your EU footprint determines GDPR applicability through two key tests: Do you have any establishment in the EU (offices, employees, subsidiaries)? And do you process data from people located in the EU through your products or services? The regulation’s territorial scope is deliberately broad, covering any organization established in the EU regardless of where data processing occurs, plus organizations outside the EU that offer goods or services to EU residents or monitor their behavior. Even minimal EU connections can trigger full compliance obligations
Your processing purposes and methods determine which legal requirements apply. Marketing communications typically require explicit consent, while service delivery can rely on contract performance. Operational analytics, e.g., like Google Analytics for instance, often use “legitimate interests” as a legal basis, but this requires balancing business needs against individual privacy rights. The choice affects everything from user experience design to vendor contracts.
Third-party vendor relationships create some of GDPR’s biggest compliance challenges and enforcement risks. When you use cloud providers, analytics platforms, or marketing tools that process EU personal data, you remain liable for their compliance failures. Recent enforcement actions show regulators increasingly scrutinizing these processor relationships, particularly for international data transfers and security incidents.
Finally, your security and privacy practices determine both your compliance posture and penalty exposure when incidents occur. GDPR requires “appropriate technical and organizational measures” including encryption, access controls, and regular security assessments. More critically, you need operational procedures for responding to individual rights requests within 30 days and breach notification to authorities within 72 hours. The regulation’s accountability principle means you must document these measures as regulators increasingly demand evidence of proactive compliance efforts when calculating fines.

These categories might seem straightforward, but they determine both your GDPR obligations and potential liability exposure when things go wrong; we’ll unpack each of these in detail, below.

Practical Implementation: A Phased Approach

Effective GDPR compliance doesn’t happen overnight. Organizations should adopt a risk-based, phased strategy:

Phase 1 (Immediate – 30 days):

Basic Data Processing Agreements with EU clients
Updated privacy policies
Standard Contractual Clauses with US vendors
Basic data mapping

Phase 2 (Next 6 months):

Full Records of Processing Activities documentation
Data subject rights procedures (30-day response capability)
Comprehensive vendor audit

Phase 3 (Growth stage):

Privacy by design processes
Regular compliance audits
Dedicated privacy resources

GDPR Meets AI: The New Compliance Frontier

The intersection of GDPR and artificial intelligence represents the regulation’s most dynamic and challenging application area. AI systems strain traditional privacy concepts around data minimization, purpose limitation, and individual rights while creating new categories of privacy risk.

Training data compliance has emerged as a critical enforcement focus. The European Data Protection Board’s recent guidance clarifies that AI models cannot automatically be considered anonymous after training; rather, organizations must assess whether personal data can be extracted through various attack methods. If that sounds like trying to prove a negative, that’s precisely the seemingly insurmountable, Sisyphean challenge now facing AI-focused companies. That said, web scraping for AI training may rely on legitimate interests if organizations respect contextual privacy expectations and implement appropriate balancing assessments.

Data minimization challenges create inherent tension between AI’s data requirements and GDPR’s necessity principles. Large language models require vast training datasets, while GDPR demands processing only data that’s adequate, relevant, and necessary for specific purposes. Organizations are exploring technical solutions including differential privacy, synthetic data generation, and federated learning (training models on local devices and then sharing only the resulting parameters) to address these tensions.

Individual rights implementation becomes complex in AI contexts. Providing meaningful information about algorithmic logic (as required by Articles 13-15) proves difficult when the processing involves machine learning systems that even their creators don’t fully understand. Data portability requirements strain when personal data is embedded within trained models that can’t be easily extracted or transferred.

The EU AI Act adds another layer of complexity, creating overlapping jurisdiction between data protection authorities and market surveillance bodies. Organizations developing or deploying AI systems must navigate both GDPR’s privacy requirements and the AI Act’s algorithmic governance obligations, requiring integrated compliance strategies that address both regulatory frameworks.

Building Compliance Infrastructure

Effective GDPR compliance requires more than privacy policies and cookie banners. Organizations need technical and organizational infrastructure capable of supporting ongoing data protection obligations.

Data mapping forms the foundation of any compliance program. Organizations must understand what personal data they collect, where it comes from, how it’s processed, who has access, where it’s stored, and how long it’s retained. This visibility enables informed decisions about lawful bases, individual rights responses, and data protection impact assessments.

Privacy by design integration embeds data protection considerations into system development and business processes from the outset. This includes implementing data minimization controls, automated retention schedules, access controls limiting data exposure, encryption for sensitive data, and technical measures supporting individual rights exercise.

Vendor management requires comprehensive due diligence and ongoing oversight. Article 28 Data Processing Agreements must include specific provisions covering processing instructions, security measures, sub-processor authorization, data subject rights assistance, and data return or deletion obligations. Organizations remain liable for processor compliance failures, making vendor selection and monitoring critical compliance activities.

Critical vendor categories requiring scrutiny:

Cloud storage (AWS, Google Cloud, Azure)
Analytics platforms (Google Analytics, Mixpanel)
Communication tools (Slack, email providers)
Payment processors
Marketing automation platforms

Incident response capabilities must enable 72-hour breach notification to regulatory authorities and timely individual notification when appropriate. This requires detection capabilities, internal escalation procedures, impact assessment methodologies, and communication templates that can be rapidly deployed during security incidents.

International Data Transfers: The Elephant in the Room

If you’re a US-based startup with EU users — which, if you have a website, you probably are — international data transfers may be your single biggest practical GDPR compliance challenge. The regulatory landscape here has been turbulent, politically charged, and genuinely confusing. Here’s the state of play.

The Schrems Saga. Austrian privacy activist Max Schrems has single-handedly dismantled two EU-US data transfer frameworks. In 2015, the European Court of Justice struck down the Safe Harbor framework (Schrems I) after Schrems argued that US surveillance practices were incompatible with EU fundamental rights. In 2020, the Court struck down Privacy Shield (Schrems II) on essentially the same grounds, sending thousands of companies scrambling to find alternative transfer mechanisms.

The Current Framework: EU-US Data Privacy Framework (DPF). In July 2023, the European Commission adopted a new adequacy decision for the US based on the EU-US Data Privacy Framework. Under the DPF, US companies that self-certify through the Department of Commerce can lawfully receive EU personal data. This restored legal certainty — for now. But Schrems has already challenged the DPF (Schrems III is pending before the CJEU), arguing that the underlying US surveillance authorities haven’t materially changed. Many privacy professionals expect this framework to face serious judicial scrutiny.

Standard Contractual Clauses (SCCs): The Workhorse. Regardless of whether the DPF survives, Standard Contractual Clauses remain the most widely used transfer mechanism. SCCs are pre-approved contractual terms issued by the European Commission that importers and exporters of personal data must sign. Since 2021, the Commission has required the updated “modular” SCCs, which replaced the older versions. If you’re a US-based SaaS company processing EU data, you should have SCCs in place with your customers or incorporate them by reference in your Terms of Service or Data Processing Agreement.

Critically, SCCs aren’t a set-and-forget solution. Post-Schrems II, the EDPB requires organizations to conduct a Transfer Impact Assessment (TIA) evaluating whether the laws of the importing country (here, the US) provide essentially equivalent protection to EU law. For most low-risk SaaS applications, this assessment is relatively straightforward — but you need to document it.

The CLOUD Act Concern. The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) allows US law enforcement to compel US-based companies to produce data regardless of where that data is physically stored. This is one of the underlying tensions that drove the Schrems II decision, and it remains a live concern among EU privacy advocates and compliance officers.

However — and this is important — the CLOUD Act does not make it illegal for EU residents to use US-hosted services. It creates a theoretical risk of compelled disclosure, but that risk must be evaluated in context. For a SaaS subscription tracker storing app names and monthly costs, the realistic probability of a US law enforcement demand is effectively zero. For a healthcare platform storing patient records, the calculus is very different. This is why the TIA matters: it forces a risk-proportionate assessment rather than a blanket prohibition.

What US Startups Should Actually Do. If you process EU personal data, your practical compliance checklist for international transfers looks like this:

Reference SCCs in your privacy policy and/or Data Processing Agreement as your primary transfer mechanism.
Check whether your sub-processors are DPF-certified. Major providers like Stripe, Google, and AWS are. If they are, cite the DPF as an additional safeguard.
Conduct and document a Transfer Impact Assessment, even a lightweight one. For most B2B SaaS applications processing low-sensitivity data, this can be a 2-3 page document evaluating the nature of the data, the likelihood of government access requests, and the supplementary measures you’ve implemented (encryption, access controls, etc.).
Don’t rely on consent as your transfer mechanism. GDPR requires that consent for international transfers be explicit, specific, informed, and freely given. “By using this service you consent to processing in the US” buried in a privacy policy does not meet this standard. Use SCCs instead.
Consider EU-hosted infrastructure if you’re seriously targeting the EU market. It’s not legally required if you have proper transfer mechanisms, but it eliminates the objection entirely and can be a competitive advantage with privacy-conscious European customers.

The international transfer regime is likely to keep evolving. If Schrems III invalidates the DPF — which is a real possibility — SCCs will again become the sole viable mechanism for most companies, and the pressure to implement supplementary technical measures (like EU-based hosting or end-to-end encryption) will increase significantly. Building your compliance posture around SCCs rather than the DPF alone is the more durable strategy.

Looking Forward: GDPR’s Evolving Landscape

GDPR continues evolving through judicial interpretation, enforcement action, and technological change. Recent European Court of Justice decisions have clarified key concepts around pseudonymization, damages thresholds, and international transfers, while data protection authorities develop technical expertise in emerging areas like AI and biometric processing.

Regulatory convergence reflects GDPR’s global influence, with privacy laws in Brazil, India, California, and numerous other jurisdictions incorporating similar principles and requirements. However, geopolitical fragmentation through data localization mandates, national security restrictions, and laws like the US CLOUD Act may challenge unified global approaches to data governance. The tension between US government access authorities and EU fundamental rights protections remains unresolved and will likely drive continued litigation and regulatory evolution around international data transfers.

The relationship between GDPR and the EU AI Act will shape future compliance requirements for organizations deploying AI systems. Both regulations emphasize risk-based approaches, transparency obligations, and individual rights, but their interaction creates complex overlapping requirements that organizations must navigate carefully.

Enforcement sophistication will continue increasing as regulators develop technical expertise and coordinate cross-border investigations. Organizations should expect more targeted enforcement actions focusing on emerging technologies, children’s privacy, and international data transfers as regulatory authorities mature their enforcement capabilities.

For business leaders, GDPR represents both compliance obligation and competitive opportunity. The regulation’s complexity creates a compliance gap, particularly for resource-constrained organizations, but certain factors — like processing other companies’ data, regulated industry exposure, or active EU market targeting — make compliance non-optional. Organizations that invest in sophisticated privacy governance capabilities while embracing privacy-enhancing technologies will be best positioned for success in an increasingly regulated digital economy. The key is adopting a risk-based, phased approach that matches compliance investment to actual exposure.

For further questions, feel free to reach out.