Does data protection only protect individuals?

Reuben Binns tweeted in response to a tremendous court victory by the App Drivers and Couriers Union and Worker Info Exchange in Amsterdam:

This is often a critique of data protection as a mechanism for AI regulation. But especially when combined with human rights and specific anti-discrimination law, how much of a gap does that leave? ? (Of course, *effective* enforcement is always and everywhere a big question.)

Non-personal data is excluded, obviously, although given the GDPR’s expansive definition that is a shrinking area, and harms relating to profiling individuals will always be in scope. Group discrimination would come under human rights and equality law (if written effectively). Safety (eg cars) is a separate regulatory regime.

Within GDPR there are certainly specific issues which @lilianedwards @mikarv @RDBinns @jennifercobbe and others are writing about. How far they can be addressed without reopening the legislative text?

General Purpose/generative AI (like ChatGPT) might need specific regulation (it’s fascinating the evolution of the EU’s AI Act has gone in the other direction — only adding this later — although this was mainly due to the timing of the emergence of ChatGPT and several text-to-image generators like DALL-E.)

I have a report coming out (very) soon which partly addresses this issue, but I’m still interested in other views!