Professor Theodore Christakis, Director of the AI Regulation Chair at the University Grenoble Alpes, joins the Masters of Privacy podcast to discuss the privacy of chatbot conversations, government and court access to AI-generated data, cybersecurity risks, and the rapid emergence of AI-powered health assistants in the context of the European Health Data Space.

The IAPP recently published an article by Prof. Theodore Christakis about the discourse among European policymakers in response to Anthropic’s decision to block foreign nationals’ access to two of its latest models.

Hundreds of millions of people now confide in AI chatbots as though the conversation were private. In law, it is not. The concluding part of our consumer-AI privacy project follows a single conversation into the four places it can surface, a police referral, a government demand, a courtroom and a data breach, and asks what providers and regulators should do, including whether confidentiality can be built into the architecture itself.

The health agent rush may be the most consequential AI development of 2026. Yet, it has not received serious academic or regulatory attention. Until now.

Hundreds of millions of people confide their most intimate secrets to AI chatbots every day. The interface invites intimacy; the fine print reserves broad rights most users will never read. This first-of-its-kind study maps what really happens to your words across ChatGPT, Gemini, Claude, Grok, and DeepSeek. Read more

In his article published by the IAPP, Professor Christakis examines the “China data question” in greater depth, focusing on direct data collection, open-source deployment, and the limits of extraterritorial enforcement under EU law.

How should Europe enforce data protection when AI chatbots operate across borders? In a notable move, Berlin’s Data Protection Authority invoked the Digital Services Act (DSA) Article 16 to ask Apple and Google to delist DeepSeek, the famous Chinese AI chatbot, over alleged GDPR-breaching transfers of EU users’ data to China. The request uses a tool designed for illegal online content to tackle a complex AI data-flow issue—raising big questions for AI governance.

Exploring AI hallucinations through the lens of GDPR, this article focuses on the regulatory challenges, key DPA perspectives, and industry measures to balance innovation and data protection.

As the EDPB works intensively to draft the Article 64(2) GDPR Opinion — requested by the Irish DPC and relating to AI models — we are pleased to share with all interested stakeholders  the video of the workshop we organized on this topic during the CPDPInternational Conference on 22 May 2024.

This is the first ever detailed analysis of what is the most widespread way in which Facial Recognition is used in public (& private) spaces: to authorise access to a place or to a service. The 3rd Report in our #MAPFRE series should be of great interest to lawyers interested in data protection; AI ethics specialists; the private sector; data controllers; DPAs and the EDPB; policymakers; and the general public, who will find here an accessible way to understand all these issues.

The French DPA, CNIL, stressed that “the current debate on facial recognition is sometimes distorted by a poor grasp of this technology and how it works”. This 2nd of 6 Reports of our MAPFRE series provides a path to understanding with a classification table presenting in the most accessible way the different facial processing functionalities and applications used in public spaces.

How to regulate the use of facial recognition in public spaces in Europe? This crucial debate has often been characterised by a lack of clarity and precision. Here is the first of 6 Reports from our big “MAPFRE” research project, a detailed independent study analysing the different ways in which FRT is being used and the related legal issues.