AI training and special-category data after the SRB case: Two lawful pathways, one relational test

Artificial intelligence adoption inside organizations is accelerating faster than many governance frameworks can adapt. Human resources platforms deploy predictive analytics, productivity tools learn from behavioral patterns, and customer-service systems are trained on historical interactions. 

As these systems mature, a recurring legal question continues to surface: When special-category data is involved, on what basis can AI models be trained, particularly where training is carried out by a processor?

Recent case law and regulatory guidance, culminating in the Court of Justice of the European Union's Single Resolution Board judgments, clarify that this question cannot be answered through abstractions. Instead, a practical fork has emerged, one that depends on how identifiability actually operates in the hands of the processor.

In practice, AI training scenarios involving special-category data now tend to fall into one of two lawful pathways. In the first, the data is rendered non-identifying for the processor, such that the processor cannot realistically attribute it to individuals. In the second, the data remains personal data for the processor, but with a materially reduced risk profile. Understanding which pathway applies, and for what reasons, is now the foundation of defensible AI governance.

Pseudonymization is a safeguard, not a separate legal basis

Before addressing AI training itself, one preliminary issue must be settled. Confusion often arises as to whether a processor requires its own lawful basis, particularly under Article 9(2) of the EU General Data Protection Regulation, to pseudonymize special-category data received from a controller.

It does not.