US-based organizations using AI services risk violating GDPR when processing data of EU citizens, even if the patient is physically in the US. A Boston hospital discovered this when a routine audit revealed that its AI system, hosted on US infrastructure like AWS and OpenAI APIs, processed protected health information of 47 German patients. This constitutes an illegal data transfer under GDPR Article 44, potentially leading to significant fines. The article highlights that GDPR applies based on the data subject's location, not the organization's. AI
Summary written by gemini-2.5-flash-lite from 1 source. How we write summaries →
IMPACT US organizations using AI services risk substantial GDPR fines if they process EU citizen data without compliant transfer mechanisms.
RANK_REASON Article details a specific regulatory compliance issue with significant financial implications for organizations using AI services with international data subjects. [lever_c_demoted from significant: ic=1 ai=0.4]
