By: Lola Campbell
On May 13, 2025, the District Court for the Southern District of New York ordered defendants, OpenAI, to “preserve and segregate all output log data that would otherwise be deleted.”[1] While seemingly inconsequential, this court order actually speaks to a greater conflict between U.S. and EU law.[2] In short, the issue raised by the preservation order against OpenAI is that the corporation may be required to delete certain users’ ChatGPT conversation data, despite the preservation order, due to provisions in the EU’s General Data Protection Regulation (“GDPR”).[3] OpenAI is subject to the GDPR because many of its consumers are citizens of EU member countries.[4] The OpenAI preservation order illustrates the conflict between the U.S.’s “patchwork” of privacy law and the EU’s data privacy framework under the GDPR and foreshadows a potentially broader conflict between the U.S.’s lack of AI regulation and the EU AI Act.[5]
The U.S. has no federal law regulating data privacy, and regulation of data privacy is almost entirely at the state level, as most states have a comprehensive data privacy law.[6] Violation of most states’ privacy laws warrants state attorneys general seeking injunctions and civil penalties.[7] In stark contrast to the U.S., the EU’s GDPR applies to all EU-member countries and imposes potentially severe penalties in the event of a violation.[8] Article 17 of the GDPR mandates a right to erasure in several circumstances, such as when the data is no longer necessary.[9] Article 5 also imposes several requirements relating to the “processing of personal data,” including that, “[p]ersonal data shall be . . . kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.”[10] Articles 5 and 17 require OpenAI to delete its EU consumers’ data.[11] Depending on the nature and severity of the violation, a company may face up to $20 million in penalties, and while there is no private right of action, EU consumers can seek compensation through Data Protection Authorities (“DPAs”) for damages caused by noncompliance.[12]
Accordingly, the OpenAI preservation order illustrates the “catch-22” that corporations subject to the GDPR face, particularly in the context of U.S. litigation.[13] As scholar Natalie Moreno observes, the U.S.’s order to preserve consumers’ data directly conflicts with Article 17’s right to erasure.[14] Moreover, under Article 5, OpenAI may not retain personal identifying data under the GDPR for “longer than is necessary” per the purpose for which it was processed.[15] As OpenAI cannot feasibly argue that it processed EU consumers’ data in anticipation of litigation that would require its preservation, the preservation directly conflicts with Article 5.[16] This conflict exposes OpenAI to fines under the GDPR, as DPAs may pursue penalties for OpenAI’s continued violation of Articles 5 and 17.[17]
EU AI Act:
The preservation order illustrates a broader potential conflict relating to a corporation’s use of artificial intelligence, wherein a corporation must employ a “patchwork” use of artificial intelligence to comply with EU law, not just in litigation circumstances, but in everyday business.[18] In particular, the EU recently passed the EU AI Act, effective August 2026.[19] The Act ranks AI on a “high” to “low” risk scale, and prohibits several AI practices, including the exploitation of vulnerabilities or the evaluation of socio-economic status.[20] For corporations that use consumers’ data in generative AI platforms, such as OpenAI or Meta, both the EU AI Act and the GDPR may severely hamper their ability to collect EU consumer data.[21] For example, if Meta uses consumers’ data, in part, to train Llama 2, its generative AI platform, Article 5 of the GDPR prohibits corporations from retaining personal data for any unrelated purpose, and the EU AI Act prohibits AI use that evaluates consumers’ socio-economic status.[22] If Meta advertises to a user’s platform based on their socio-economic status that Llama 2 predicted based on the user’s responses, Meta violates Article 5 by retaining a consumer’s data for a different purpose (i.e., training generative AI) and violates the EU AI Act by engaging in a prohibited AI practice.[23]
Accordingly, the OpenAI preservation order raises comparative compliance concerns for corporations under the EU AI Act, as corporations like OpenAI may “edit” their AI use for EU consumers, or be forced to argue under threat of penalties why their AI use is “medium” or “low” risk.[24] As the U.S. and EU’s approaches to regulation have historically been conflicted, corporations are unlikely to receive further clarity from the EU AI bill.[25] Moreover, a corporation may be hesitant to change its entire AI system to comply with the Act’s categorization of “low risk,” for fear of losing the “AI race” in the U.S.[26]
[1] See New York Times Co. v. Microsoft Corp., No. 23-cv-11195 (S.D.N.Y. May 13, 2025) (granting preservation request by Defendant).
[2] See Nathalie Moreno, OpenAI and the Cross-Border Data Dilemma: US Litigation Holds vs. GDPR Erasure Obligations (UK/EU), Kennedys (Feb. 6, 2025), https://www.kennedyslaw.com/en/thought-leadership/article/2025/openai-and-the-cross-border-data-dilemma-us-litigation-holds-vs-gdpr-erasure-obligations-ukeu/ [https://perma.cc/4U6K-CREZ] (“In Europe, this decision conflicts with the GDPR’s provisions on data minimisation (Article 5(1)(e)) and the right to erasure (Article 17).”).
[3] See id. (“The right to erasure, first codified in the 1995 Data Protection Directive and now enshrined in Article 17 GDPR, has always sat uneasily alongside the broad discovery obligations under US litigation. What’s different today is the volume, velocity, and sensitivity of data processed by AI systems, and the growing frequency of transatlantic litigation targeting those systems.”); see also Kyle Jahner, OpenAI Continues to Fight Discovery Order Over Privacy Concerns, Bloomberg L. (June 4, 2025, at 14:06 ET), https://news.bloomberglaw.com/ip-law/openai-continues-to-fight-discovery-order-over-privacy-concerns [https://perma.cc/TS5L-8ZLC] (“[Judge] Wang denied OpenAI’s bid to undo her order on May 29, two days after reassuring the AI company that user data wouldn’t be publicly available.”); GDPR Article 17 Explained: Understanding the Right to Erasure (“Right to Be Forgotten”), GDPR (Dec. 1, 2025), https://gdprexplorer.com/gdpr-article-17-explained-understanding-the-right-to-erasure-right-to-be-forgotten [https://perma.cc/GH3C-NKJQ] (“[Article 17] grants individuals the ability to request the deletion of personal data when certain conditions are met—essentially enabling them to reclaim their digital footprint.”).
[4] Moreno, supra note 2 (“In practice, data controllers subject to US jurisdiction are routinely ordered to retain or produce personal data located in the EU or UK, notwithstanding conflicting obligations under data protection law.”).
[5] See id.; U.S. State Consumer Privacy Laws Overview, Duke Off. Audit, Risk & Compliance (Dec. 1, 2024), https://oarc.duke.edu/sites/default/files/State%20Privacy%20Law%20Overview_Website_12.04.24.pdf [https://perma.cc/M2ZG-SXW9] (discussing U.S. state privacy law); EU AI Act: First Regulation on Artificial Intelligence, Eur. Parliament (Feb. 19, 2025, at 17:46 ET), https://www.europarl.europa.eu/topics/en/article/20230601STO93804/eu-ai-act-first-regulation-on-artificial-intelligence [https://perma.cc/UFD2-UD4C] (providing the EU AI Act, effective August 2026).
[6] See Duke Off. Audit, Risk & Compliance, supra note 5.
[7] See id.
[8] See Fines / Penalties, Intersoft Consulting, https://gdpr-info.eu/issues/fines-penalties/ [https://perma.cc/3SCJ-VLSW] (last visited Mar. 28, 2026).
[9] See Principles Relating to Processing of Personal Data, Intersoft Consulting, https://gdpr-info.eu/art-5-gdpr/ [https://perma.cc/MN5B-Z9YP] (last visited Mar. 28, 2026); GDPR, supra note 3 (mandating deletion when the consumer withdraws consent, the consumer objects to processing, the corporation has illegally processed the data, the corporation is legally required to erase the data, or the data is a child’s).
[10] See id.; GDPR, supra note 3; Moreno, supra note 2.
[11] See GDPR, supra note 3.
[12] See Intersoft Consulting, supra note 8 (noting that, in the case of severe violations, corporations may be fined “2% of [a corporation’s] entire global turnover of the preceding fiscal year, whichever is higher”); Taking Your Case to Court and Claiming Compensation, Info. Comm’r Off., https://ico.org.uk/for-the-public/data-protection-and-journalism/taking-your-case-to-court-and-claiming-compensation/ [https://perma.cc/KV86-F8UL] (last visited Mar. 28, 2026) (“[Consumers may] claim compensation for any damage caused by any organization [sic] if they have broken data protection law, including any distress you may have suffered.”).
[13] Moreno, supra note 2.
[14] Id.
[15] See id.; Intersoft Consulting, supra note 9.
[16] Moreno, supra note 2 (“US discovery orders, standing alone, cannot lawfully justify retention of data that would otherwise be deleted.”).
[17] See Intersoft Consulting, supra note 8; Info. Comm’r Off., supra note 12.
[18] See Moreno, supra note 2; Caitlin Chin-Rothmann, Protecting Data Privacy as a Baseline for Responsible AI, CSIS (July 18, 2024), https://www.csis.org/analysis/protecting-data-privacy-baseline-responsible-ai [https://perma.cc/V2UG-3CLV].
[19] See EU AI Act: First Regulation on Artificial Intelligence, Eur. Parliament (Feb. 19, 2025, at 17:46 ET), https://www.europarl.europa.eu/topics/en/article/20230601STO93804/eu-ai-act-first-regulation-on-artificial-intelligence [https://perma.cc/SPF5-MRHM].
[20] See id.
[21] See Moreno, supra note 2 (“Generative AI platforms like OpenAI, Anthropic, and Meta’s Llama increasingly rely on large volumes of user-generated content that may qualify as personal data.”).
[22] See id. (“These systems [used by corporations like Meta] often process personal data at scale to train and refine large language models (LLMs), blurring the boundary between user content and training data.”); Intersoft Consulting, supra note 9; GDPR, supra note 3.
[23] See Moreno, supra note 2; Intersoft Consulting, supra note 9; GDPR, supra note 3.
[24] See Moreno, supra note 2; GDPR, supra note 3; Eur. Parliament, supra note 19.
[25] See Moreno, supra note 2; Duke Off. Audit, Risk & Compliance, supra note 5; Eur. Parliament, supra note 19.
[26] See Eur. Parliament, supra note 19; see also Jared Cohen, The Complicated Stakes of the AI Race Between the U.S. and China, Time (Feb. 18, 2026, at 11:58 ET), https://time.com/7379419/ai-race-us-china/ [https://perma.cc/BZP5-82HS] (“[T]here is a race to develop a dominant open-source AI model and a race to develop the top closed-source AI model.”).
