The GDPR includes a specific regulatory framework regarding processing for the purposes of scientific research (see the “Data protection and scientific research” section in the “Main concepts” in Part II).^[1] If the AI development could be considered as scientific research, the “Union or Member State law may provide for derogations from the rights referred to in Articles 15, 16, 18 and 21 subject to the conditions and safeguards referred to in paragraph 1 of this Article in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes” (Article 89(2)). Furthermore, according to article 5 (b) “further processing of the data gathered, in accordance with Article 89(1), would not be considered to be incompatible with the initial purposes (‘purpose limitation’)”. There are some other particular exceptions to the general framework applicable to processing for research purposes (such as storage limitation) that should also be taken into account. Nevertheless, AI developers should be aware of the concrete regulatory framework that applies to their research. It might include important changes depending on their national regulations. Consultation with their DPOs is highly recommended for this purpose.
 

References

¹This specific framework also includes historical research purposes or statistical purposes. However, ICT research is not usually related to these purposes. Therefore, we will not analyse them. ↑