The Risk of AI in Data Privacy

 

Artificial intelligence has rapidly woven itself into nearly every layer of life and in doing so has created a privacy crisis that existing laws were not designed to handle. Since the ratification of the Fourth Amendment in 1789, privacy has been a foundational concern of the United States (Andruss). Privacy was considered a universal and basic human right, so governments have begun to question whether collecting personal data online violates that basic human right. As the development of artificial intelligence outpaces the privacy protections of existing national and regional laws on data protection, the United Nations should establish a binding international framework on AI privacy that requires enforceable protection for sensitive data, and binding transparency obligations so individuals can control how their information is collected. 

The problem of data privacy has its roots in a global system that was never designed to handle it. It goes back to the Fourth Amendment to the Constitution, ratified in 1789, which established legal protection against unreasonable searches and seizures (Andruss). In 1967, in the court case Katz v United States, Fourth Amendment protections were expanded to electronic communications. Despite these protections, no binding global standard controlled how organizations could collect data. Finally, in 1980, the Organization for Economic Cooperation and Development (OECD) attempted to address this by establishing that personal data could only be collected with the knowledge and consent of the individual, requiring that the purposes for collecting be clearly defined the moment data is collected. However, the OECD had no actual enforcement power at the time (OECD Privacy Principles). When a team of Russian hackers compromised 3 billion Yahoo accounts and exposed passwords, phone numbers, and other personal information, public scrutiny of data privacy intensified (Chin). In 2018, the GDPR, a piece of legislation passed by the EU, provided a framework with genuine enforcement power, allowing fines up to 4% of a company’s annual revenue and requiring companies globally to document what personal data they collected (Andruss). Then, California became the first US state, in 2020, to enact a state law protecting data privacy. It granted consumers the right to know what personal information businesses collect and the right to opt out of collecting information. As AI systems began accelerating data collection, the American states of California, Colorado, and Utah passed their own AI-specific regulations in 2025 (“History of Privacy Timeline”). While these laws represented important first steps, AI’s borderless reach has outgrown national and regional protections.

The acceleration of AI has transformed data privacy from a national legal issue into a global crisis with harm across the world. According to Stanford’s 2025 AI Index Report, “AI incidents jumped by 56.4% in a single year, with 233 reported cases throughout 2024. These incidents span everything from data breaches to algorithmic failures that compromise sensitive information” (Spencer). This demonstrates that AI privacy violations are a systemic global issue. AI systems are deployed simultaneously across many countries, and because countries have vastly different jurisdictions, a single flawed government can compromise the data of millions of people. The trajectory of the amounts of these issues are accelerating, and it may continue to do so without global enforcement power. The lack of control of these laws is made even clearer through Italy’s data protection authority, who “hit Clearview AI with a 20 million-euro fine and demanded it delete all the personal data it had collected in Italy. But the fine was never collected and the data remains undeleted because of a lack of international agreement on enforcement, according to one of Italy’s top data regulators” (Andrews). Italy operates under the GDPR, which is very aggressive towards data privacy. When the strongest privacy regimes can’t enforce their own ruling against an AI company, international action becomes necessary. Without international action, incidents like Italy’s may only multiply, with more and more companies collecting and compromising the data of millions. The combination of rapidly rising AI incidents and absent cross-border enforcement makes data privacy a global issue. 

Given that national efforts have fallen short, the UN must step in with a binding international framework on data privacy in the age of AI. Senior Executive Media reports that “No regional AI regulatory framework can achieve complete effectiveness due to the global nature of AI development and deployment. Genuinely effective AI governance requires international coordination and standards harmonization…” (Liddle and Paugh). This expert assessment confirms that national or statewide laws are incapable of regulating AI. Even the strongest laws such as the GDPR and CCPA can be exploited by simply operating from a different jurisdiction. The reference to “standards harmonization” is also critical because countries like the US, China, and members of the EU all have incentives to protect their domestic AI industries, which is why a neutral multilateral body like the UN is the only realistic organization that can enforce global binding rules. A starting point for such a framework already exists in an UNESCO published article, stating that, “Member States should ensure that individuals retain rights over their personal data and are protected by a framework, which notably foresees: transparency; appropriate safeguards for the processing of sensitive data [...] meaningful accountability schemes [...] and the ability to access and erase their personal data in AI systems” (UNESCO). This recommendation maps onto the three pillars of strong AI privacy: transparency, protection of sensitive data, and individual control. While UNESCO is an organization with little enforcement power, the UN must create a binding framework to convert these principles into laws. However, a UN framework would mean little without real accountability. Perlman states that "Independent oversight by data protection authorities and, where appropriate, courts is essential. Compliance cannot rest on administrative discretion; it requires transparent rules and enforceable guarantees that limit state power” (Perlman). The danger of AI privacy doesn’t only just come from private companies, but also governments that may use AI for surveillance. That’s why embedding independent oversight and transparent rules into a binding UN framework can help the international community transform data privacy from a vague rule into a concrete right that follows individuals across borders. Regional and national governments have repeatedly failed to create effective legislation which leaves the UN responsible for enacting a framework that protects an individual’s right to data privacy. 

Since the creation of electronic communication and the internet, data privacy has been a primary concern of users. As AI expands into more and more aspects of life and exacerbates the existing problem of data privacy, nations and states are left unable to enforce their own effective jurisdiction on data privacy. That leaves the UN, an independent international organization, responsible to create an effective policy of transparency, control, and protection to mitigate the risk of AI’s data privacy issue. Data privacy should not be considered a luxury or a matter of convenience; it’s an established universal human right that can only be solved through coordinated international action.