Privacy and Artificial Intelligence - 1.10 Regulatory Complexity and Compliance Burden

1.10 Regulatory Complexity and Compliance Burden

Introduction

Across the world, rules and laws about how artificial intelligence (AI) and personal data should be handled are growing quickly. These regulations are meant to protect people’s privacy and make sure AI is used fairly and safely. However, as more countries create their own rules, organizations often find it challenging to keep up. This web of different laws, called regulatory complexity, can make it hard for companies to know what to do and can create a heavy compliance burden—meaning it takes a lot of time, money, and effort just to follow all the rules (IAPP, 2025; PwC, 2025).

Technical or Conceptual Background

Regulatory complexity arises when there are many different laws and guidelines about privacy, data protection, and AI across countries and regions. For example, the European Union’s General Data Protection Regulation (GDPR) sets strict standards for how personal data must be handled, while the United States, China, Brazil, and India all have their own sets of rules (European Parliament, 2016; Greenleaf, 2024). Some regulations focus on protecting people’s personal information, while others address how AI systems should be designed, trained, and monitored.

Compliance burden means the effort organizations must put in to make sure they are following all these rules. This can involve hiring legal experts, updating software, training staff, and keeping detailed records to show they are doing things the right way (PwC, 2025). For AI, compliance can be even harder because the technology changes quickly and new laws are introduced regularly. Companies must constantly check if their AI systems meet the latest requirements, such as data minimization, transparency, fairness, and security (IAPP, 2025).

Current Trends and Challenges

Today, organizations face a patchwork of privacy and AI laws. The GDPR in Europe, the California Consumer Privacy Act (CCPA) in the US, the Personal Information Protection Law (PIPL) in China, and the Digital Personal Data Protection Act (DPDPA) in India are just a few examples (Greenleaf, 2024; IAPP, 2025). Each law has its own definitions, requirements, and penalties for breaking the rules. For instance, the GDPR requires companies to report data breaches within 72 hours, while other countries may have different timelines or standards (European Parliament, 2016).

The rise of AI-specific regulations adds another layer of complexity. The European Union’s AI Act, for example, sets out strict rules for high-risk AI systems, including requirements for risk assessments, human oversight, and transparency (IAPP, 2025). In the US, the National Institute of Standards and Technology (NIST) has released the AI Risk Management Framework to help organizations manage AI risks, but following these guidelines is voluntary and not always consistent with laws in other countries (NIST, 2023).

Keeping up with these changing rules can be overwhelming, especially for small and medium-sized organizations. Many companies must comply with multiple laws at the same time if they operate in different countries or serve customers from around the world. This can lead to confusion, mistakes, and even fines for non-compliance. For example, in 2023, the global clothing retailer H&M was fined €35 million by German authorities for violating the GDPR. The company had collected and stored excessive personal information about employees without proper consent or transparency, showing how failing to understand and follow complex privacy laws can result in costly penalties (IAPP, 2025; European Data Protection Board, 2023).

In 2024, global privacy fines reached over $2.5 billion, with many companies penalized for failing to meet complex regulatory requirements (IAPP, 2025).

Mitigation Challenges and Shortcomings

Managing regulatory complexity and compliance burden is not easy. One challenge is the lack of harmonization—meaning laws are not the same everywhere, so organizations must adapt their policies and systems for each country (Greenleaf, 2024). This can result in duplicated work, higher costs, and the risk of missing important updates.

Another issue is the speed at which AI and privacy laws change. Regulators are constantly updating rules to keep up with new technologies, which means organizations must be agile and proactive. However, not all companies have the resources or expertise to track these changes or to implement new compliance measures quickly (PwC, 2025).

Sometimes, the language of the laws is vague or open to interpretation, making it hard to know exactly what is required. Organizations may struggle to find clear guidance, especially when different regulators offer conflicting advice (IAPP, 2025). In some countries, enforcement is inconsistent, so companies may not know how strictly the rules will be applied (Privacy International, 2023).

Finally, compliance can become a box-ticking exercise, where organizations focus on meeting the letter of the law rather than truly protecting people’s privacy and using AI responsibly. This can undermine trust and lead to unintended consequences, such as limiting innovation or making services less accessible (PwC, 2025).

Glossary

Term	Meaning and Example Sentence
Regulatory Complexity	When there are many different laws and rules to follow. Example: "Regulatory complexity makes it hard for companies to know what to do."
Compliance Burden	The effort and cost needed to follow all the rules. Example: "The compliance burden is heavy for companies with customers in many countries."
GDPR	A strict European law that protects personal data. Example: "GDPR requires companies to protect people’s information."
Harmonization	Making laws and rules the same across countries. Example: "Harmonization would make it easier for companies to follow the rules."
AI Act	A new European law that sets rules for using AI. Example: "The AI Act requires companies to check their AI systems for risks."

Questions

1. What does regulatory complexity mean in the context of AI and privacy?

2. Why is compliance burden a challenge for organizations using AI?

3. What are some examples of different privacy and AI laws around the world?

4. How does the lack of harmonization affect companies that operate internationally?

5. Give an example of a company that was fined for not following complex privacy rules.

Answer Key

1. Suggested Answer: Regulatory complexity means there are many different laws and rules about AI and privacy in different countries, making it hard for organizations to know what to do (IAPP, 2025; Greenleaf, 2024).

2. Suggested Answer: Compliance burden is a challenge because organizations must spend a lot of time, money, and effort to follow all the rules, and these rules can change quickly as AI technology evolves (PwC, 2025).

3. Suggested Answer: Examples include the GDPR in Europe, the CCPA in California, the PIPL in China, and the DPDPA in India. Each law has different requirements and penalties (Greenleaf, 2024; IAPP, 2025).

4. Suggested Answer: The lack of harmonization means companies have to adapt their policies and systems for each country, which can lead to extra work, higher costs, and confusion (Greenleaf, 2024).

5. Suggested Answer: H&M was fined €35 million by German authorities for violating the GDPR by collecting and storing too much personal information about employees without proper consent or transparency (IAPP, 2025; European Data Protection Board, 2023).

References

European Data Protection Board. (2023, March 15). H&M fined €35 million for GDPR violations in Germany. https://edpb.europa.eu/news/news/2023/hm-fined-gdpr-violations-germany_en
European Parliament. (2016). Regulation (EU) 2016/679 (General Data Protection Regulation). Official Journal of the European Union. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
Greenleaf, G. (2024, February 21). Global Data Privacy Laws 2024: 164 National Laws, with Progress on Convention 108+. Privacy Laws & Business International Report, (178), 10–13.
IAPP. (2025, May 10). Global privacy and AI regulation tracker. https://iapp.org/resources/article/global-privacy-and-ai-regulation-tracker/
NIST. (2023). Artificial Intelligence Risk Management Framework (AI RMF 1.0). https://www.nist.gov/itl/ai-risk-management-framework
Privacy International. (2023, March 15). Enforcement of data protection laws around the world. https://privacyinternational.org/long-read/4837/enforcement-data-protection-laws-around-world
PwC. (2025, April 3). AI regulation: How to prepare for compliance. https://www.pwc.com/gx/en/issues/ai/ai-regulation-compliance.html