Technology Compliance: Cloud, Cookies, Social Media & AI

The final compliance lecture covers technology: cloud computing, web cookies, social-media platforms, and artificial intelligence. The underlying principles never change, lawful basis, minimisation, security, transparency, but each technology applies new pressure to them. Here the GDPR works alongside the ePrivacy Directive for cookies and, increasingly, the EU AI Act for machine learning.

These topics feel modern, but the exam still tests them through the same lens you have been building: which basis, what safeguards, who is the controller, is it proportionate. Let's take each in turn.

Cloud computing is, in GDPR terms, usually a controller-processor relationship. When you put personal data into a cloud service, the provider typically acts as your processor under Article 28, while you, the customer, remain the controller and remain responsible for the data. That means you need an Article 28 contract, you must do due diligence on the provider's security under Article 32, and you must control sub-processors, since cloud providers often use a chain of subcontractors.

The big additional risk is location: cloud data may be stored or accessed outside the EU, which turns it into an international transfer under Chapter five, requiring adequacy, SCCs, or another mechanism, plus a transfer impact assessment after Schrems II. The exam tests that moving to the cloud does not move your responsibility, and that data location can trigger transfer rules.

Cookies are governed primarily by the ePrivacy Directive, specifically Article 5(3), which requires consent before storing or accessing information on a user's device, unless the cookie is strictly necessary to provide the service the user requested. So functional cookies that keep a shopping basket working are exempt, but analytics, advertising, and tracking cookies need consent. And that consent must meet the GDPR standard, a clear affirmative action, freely given, with no pre-ticked boxes; a banner that only offers accept, or that hides the reject option, is not valid consent.

Regulators increasingly insist that rejecting cookies must be as easy as accepting them. The exam pairs the ePrivacy consent rule for non-essential cookies with the strictly-necessary exemption, so know both halves.

Social media raises two issues the Body of Knowledge highlights. First, roles: a business running a page or campaign on a platform can be a joint controller with that platform for the data they jointly determine, the CJEU has held exactly this, so responsibilities must be allocated under Article 26. Second, dark patterns, deceptive design choices that steer users into decisions against their interests, like making accept big and green and reject small and grey, pre-selecting the most privacy-invasive option, or using confusing double negatives.

The EDPB's guidelines on deceptive design patterns make clear these undermine valid consent and breach the fairness and transparency principles. So a platform interface engineered to harvest consent is a compliance failure, and the exam may ask you to spot a dark pattern as the problem.

Finally, artificial intelligence, including machine learning, which the current Body of Knowledge explicitly adds. When AI processes personal data, whether to train a model or to make decisions, the GDPR applies in full: you need a lawful basis, you must minimise the data used, you must be transparent about the processing, and you must address fairness, because biased training data can produce discriminatory outputs that breach the fairness principle. Where AI makes solely automated decisions with legal or similarly significant effects, Article 22 and its safeguards apply, human intervention, the right to contest.

On top of the GDPR, the EU Artificial Intelligence Act, Regulation 2024/1689, adds a risk-based layer, banning some uses and tightly regulating high-risk systems. For the exam, the key point is that AI does not get a pass, the GDPR's principles and Article 22 apply, with the AI Act layered on top.

So technology compliance reuses everything you know. In the cloud, the provider is your processor under Article 28, you stay the controller, and data location can trigger Chapter five transfer rules. For cookies, ePrivacy Article 5(3) requires consent for anything not strictly necessary, and reject must be as easy as accept.

On social media, businesses can be joint controllers, and dark patterns invalidate consent. And for AI, the GDPR's principles and Article 22 apply, with the EU AI Act adding a risk-based layer. That completes Domain five and the substantive content of the course.

Go take the Domain five practice test, then join us for the final lecture, where we turn all of this into an exam-day plan.