Artificial Intelligence in the Management of Sensitive Data: Regulatory Perspectives (Between the AI Act and New 2026 Scenarios)
The era of the data "Wild West" is over. With the entry into force of the AI Act and the new Italian Law 132/2025, the management of sensitive data (biometric,
Until a few years ago, data was called "the new oil." Today, that metaphor is insufficient. In the era of Generative Artificial Intelligence and advanced predictive systems, sensitive data – that which concerns our health, our political opinions, our biometrics, and our most intimate sphere – has become "uranium." It is an inexhaustible source of energy for training ever more powerful models, but if managed without due precautions, it can cause radioactive disasters for privacy and civil rights.
We have entered a historical phase of transition. The "Wild West" of indiscriminate data collection is giving way to an era of hyper-regulation. The European Union, with the entry into force of the AI Act, has erected a regulatory fortress. However, pressure from Big Tech and geopolitical competition are severely testing the resilience of these principles.
In this article for AI & Legal Tech, we will analyze how the management of sensitive data is changing in the 2025-2026 biennium, exploring the new Italian model of co-governance, global tensions, and the strategies companies must adopt.
1. The Fortress Europe: AI Act and Data "Governance" (Art. 10)
The approval of the AI Act was not just a bureaucratic move; it was a declaration of digital sovereignty. Europe chose not to separate AI development from the protection of fundamental rights.
Article 10 and Data Quality
The beating heart of the regulation on sensitive data lies in Article 10 of the AI Act. As highlighted by the official text on Artificial Intelligence Act (https://artificialintelligenceact.eu/article/10/), for high-risk AI systems (High-Risk AI Systems), it is no longer enough to have "a lot of data." You must have the "right" data. The rule imposes strict requirements on data governance:
- Relevance and Representativeness: Training datasets must be representative to avoid bias.
- Traceability Logs: Every sensitive data point used must be traceable to its source.
The Interplay with the GDPR
Many observers wondered if the AI Act would replace the GDPR. The answer, as clarified by INTA (https://www.inta.org/perspectives/features/how-the-eu-ai-act-supplements-gdpr-in-the-protection-of-personal-data/), is no: it strengthens it. While the GDPR focuses on the rights of the data subject (privacy), the AI Act focuses on product safety (safety). When an AI system processes biometric or health data, the AI Act imposes additional pseudonymization measures and establishes that such data cannot be transmitted to third parties without rigorous human control (Human Oversight).
Data quality is the antidote to discrimination. To delve deeper into how "dirty" data creates injustices, read our focus on Algorithmic Bias and Invisible Discrimination.
2. The Italian Case: The New Law 132/2025 and Co-Governance
Italy has not stood by. With the new Law 132/2025, our country has outlined a governance model unique in the European landscape.
The Governance Triangle
According to the analysis by Federprivacy (https://www.google.com/search?q=https://www.federprivacy.org/informazione/primo-piano/privacy-e-intelligenza-artificiale-dopo-la-nuova-legge-132-2025-il-modello-it), the management of sensitive data in AI is no longer the exclusive domain of the Data Protection Authority. The new law establishes close coordination between:
- Data Protection Authority: Protection of individual rights.
- National Authority for AI (AgID): Technical oversight of AI systems.
- ACN (Cybersecurity): Intervention on critical infrastructures.
DPIA and Impact Assessment
As highlighted by Legal for Digital (https://legalfordigital.it/intelligenza-artificiale/intelligenza-artificiale-e-privacy/), for Italian companies this means that the DPIA (Data Protection Impact Assessment) becomes the central document. It must demonstrate how the algorithm handles sensitive data, mitigating re-identification risks.
3. A Global Look: The 2025-2026 Regulatory "Patchwork"
While Europe builds fortresses, the rest of the world is moving at different speeds.
USA: The Fragmentation
As reported by AI Data Insider (https://www.google.com/search?q=https://aidatainsider.com/ai/2025-ai-data-policy-overview-22-major-regulations-that-shaped-the-year/), the USA lacks a single federal law. California, with the ADMT rules analyzed by Aetos Data (https://www.google.com/search?q=https://www.aetos-data.com/answers-insights/2025-ai-governance-privacy-year-in-review), imposes an Opt-Out obligation and impact assessments, moving closer to the EU.
UK and Brazil
The United Kingdom is focusing on the Data Use and Access Act, seeking a pro-innovation balance, as explained by the DPO Centre (https://www.dpocentre.com/blog/data-protection-ai-governance-2025-2026/). Brazil is aligning its LGPD with European principles.
The Healthcare Sector
A report by MyData-Trust (https://www.mydata-trust.com/2026/01/07/data-governance-2025-2026/) highlights how the Life Sciences sector is the epicenter of the battle. With precision medicine, anonymizing genomic sequences is mathematically complex.
Protecting this data requires advanced technologies. Delve deeper in Quantum Privacy and AI: Threats and Solutions post-Q-Day.
4. Political Tensions: The "Digital Omnibus"
Not everything is running smoothly in the European regulatory machine.
Deregulation to Compete?
An analysis by Al Jazeera (https://www.aljazeera.com/economy/2025/11/20/eu-moves-to-ease-ai-privacy-rules-amid-pressure-from-big-tech-trump) reveals pressures to relax the GDPR through the "Digital Omnibus". Big Tech is demanding access to personal data for training GPAI models, promising "robust anonymization," a controversial concept.
The IAPP Vision
According to the IAPP (https://iapp.org/resources/article/privacy-ai-governance-and-cybersecurity-law-in-2025), 2026 will be the year when compliance must integrate with cybersecurity to prevent the theft of training data or model inversion attacks.
5. Right to be Forgotten and Algorithmic Memory
The GDPR guarantees the Right to be Forgotten (Art. 17). But how do you delete data from an already trained AI model? Once an LLM has "read" a piece of data, it becomes part of the mathematical weights of the network. Authorities are beginning to require Machine Unlearning: techniques to "unlearn" specific data without retraining the model from scratch.
For a philosophical and technical analysis, read Right to be Forgotten in the AI Era: Is the Past Really Past?.
6. Strategic Guide: Compliance by Design
Here are three strategic pillars for companies in 2026.
1. Data Lineage
Companies must map the path of every piece of sensitive data. Article 10 of the AI Act does not forgive ignorance about provenance.
2. Regulatory Sandboxes
Take advantage of the Sandboxes provided for by the AI Act (https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai) to test innovative systems under the supervision of the authority without immediate risks.
3. Synthetic Data First
Switch to Synthetic Data. Generating artificial datasets that maintain statistical properties but contain no personal information is the main path to compliance.
Security is the foundation. Read Cybersecurity and AI: Low-Cost Hacking and Automatic Defense.
FAQ: Frequently Asked Questions on AI and Sensitive Data
1. What is the maximum penalty under the AI Act? Up to 35 million euros or 7% of global turnover, exceeding the GDPR cap.
2. Can biometric data be used for training? Only with explicit consent and enhanced security measures. Emotion AI inference in the workplace or at school is prohibited.
3. Does the Italian law 132/2025 replace the GDPR? No, it complements it, defining the competencies of national authorities (Data Protection Authority, AgID, ACN).
4. Can I use anonymized health data for an LLM? Yes, but the anonymization must be irreversible to prevent re-identification through data cross-referencing.
Conclusions: Ethics as a Competitive Advantage
Regulation is not just an obstacle; it is the infrastructure for trust. In 2026, innovation will come of age, learning that computing power is nothing without the control of rights.
Delve deeper into corporate governance in AI and Governance: Between Utopia and Dystopia.
Bibliographic References and Sources
- AI Act & EU: Digital Strategy EU, AI Act Art. 10, INTA
- Italy: Federprivacy, Legal for Digital
- Global Trends: AI Data Insider, DPO Centre, MyData-Trust
- Politics: Al Jazeera, IAPP