Feeding AI tools only the data they actually need
The safest personal data is the personal data you never put in. Minimize first, prompt second.
Not legal advice. Sally roasts behaviour and use-cases in general, never your specific situation, and nothing here replaces a real lawyer. The cases are real; what you do about them is between you and someone licensed to tell you.
Stripping or pseudonymizing personal details before using an AI tool, and only sending what the task requires.
Garante (Italian DPA) v. OpenAI
EUR 15M fine, ruling Dec. 2024 Β· EU (Italy)
The boundary case. The penalty followed from training on personal data without a basis and without transparency.
A EUR 15M fine. The lesson runs the other way too: minimize what you feed a model and most of this risk never attaches.
This is the boring habit that keeps you out of the cautionary tales. The fines and bans cluster around organizations that fed models more personal data than they had a basis for. Data minimization, the principle of only using what you genuinely need, is the cheapest compliance you will ever do.
Most AI tasks do not actually require a name, an address, or a full record. They require the relevant facts. Separate the two and most of your privacy exposure disappears before you ever hit send.
βThe companies that got fined had one thing in common: they sent the model everything. You can simply not do that.β
- 01Remove names, contact details, and identifiers the task does not need before prompting.
- 02Keep a lawful basis and a record for any personal data you do send.
- 03Check whether your AI vendor trains on your inputs, and turn that off when it matters.
Not legal advice. General commentary on a use-case, not your situation. Talk to a real lawyer before you act.