With data sovereignty concerns on the rise, how do we know what generative AI bots are doing with potentially sensitive information?
By Jim Peterson, Senior Copywriter & Transcreator at steelecht
Legal and ethical concerns should inform any agency’s choice of AI provider, not just in the EU, where regulations like the GDPR have long since sensitized us to the sovereignty of personal data. Even agencies in other regions have clients that ask them to sign an NDA at some point. Sensitive information, in these cases, has a much broader meaning than merely personal data.
Avoiding the use of product names in prompts certainly makes sense. But shouldn’t we also have qualms about divulging unique ideas, contextual logic or creative approaches to problems?
In general, we have to assume generative AI tools are using everything we feed to them for system training. OpenAI is at least transparent about this. Under the US government’s CLOUD Act, providers based in that country may be obliged to store and even provide data to authorities on request.
Of course, not using AI at all is always an option. To remain competitive and offer better quality copy, our agency has chosen to use AI in a targeted way. Learn more in our previous blog “In the age of AI, the human touch matters more than ever”.
When we do use AI, as careful and conscientious as we may be in drafting our prompts, how do we know the black box inside the bot isn’t mining our input in unscrupulous ways? London-based tech provider Empathy AI recommends setting up an in-house AI system. While this may be viable for a certain size of company, it’s not really an option for a small boutique agency like steelecht. As a result, we decided to look for a provider of generative AI that guarantees everything we input is secure.
Our search led us back to the continent we are based in: Europe.
Our story: the road to European AI
The German-American Lawyer’s Association claims “The US innovates; the EU regulates.” As a Europe-based copywriting agency with largely US-American staff, do we need to take sides? When it comes to data sovereignty, it’s not really a matter of choice.
US-based online tools do not provide the level of data sovereignty needed to ensure compliance with EU regulations, as the 2020 judgement Schrems II brought to light.
That’s why we have successively been switching to EU-hosted solutions for several of our backend tools, e.g. for timekeeping, file sharing and project management – all of which may store personal data like a customer’s email address. As the Germany-based online meeting tool Sally points out, server location matters.
When it came to AI, we found that the tools based in the EU also apply the same principles of data sovereignty. What about performance? Absolutely comparable. While some of them use their own LLMs, most build on existing ones, adding robust layers of data protection in between.
For the curious, here is an overview of the EU-based generative AI tools we reviewed:
- Mistral – their chatbot, previously known as “Le Chat”, now “Vibe”, offers multilingual support, Mixture-of-Experts architecture for efficiency, commercial API + self-hosting options.
- CamoCopy – EU-hosted, data sovereign by design, optimized for copywriting (tone, style and multilingual content), verifiable data deletion.
- EuroLLM – Covers all 24 EU languages, open-source, trained on EU-specific data, no licensing fees.
- Minerva AI – Italian-English bilingual, open-source, fine-tuned for safety and nuance in regulated industries, such as finance.
We tried them all and then settled on the one we felt was the best fit for our needs. Switching to an EU-based generative AI tool helps future-proof our workflow. No more worrying about Schrems II violations, unverifiable data deletion or Cloud Act exposure. Everything runs on EU servers under EU law.
Here were our main considerations when making our decision:
- GDPR compliance by default
Our new provider stores and processes all data on servers in the EU. This eliminates the legal risks of cross-border data transfers. AI hosted in the US, for instance, relies on unstable mechanisms like the EU-US Data Privacy Framework (DPF), which has been invalidated by the Schrems II ruling and could face future legal challenges. EU-hosted solutions circumvent this uncertainty.
- No US government access risks
US-based AI tools are subject to the Cloud Act, allowing US authorities to request data even after deletion. EU-based providers, however, are bound by EU laws (GDPR, EU Charter of Fundamental Rights), which prioritize user privacy over government access. This is critical for businesses handling sensitive client data (e.g. legal, healthcare, finance).
- Immediate & verifiable data deletion
Our EU-based chatbot, for example, allows instant, permanent deletion of chats, files and workspaces with written confirmation upon request. US providers often retain data for 30 days after deletion and do not provide proof of erasure. Under GDPR’s Right to Erasure (Article 17), businesses must delete data without undue delay – something that US providers cannot guarantee.
- No training on user data
US-based Large Language Models (LLMs) use prompts for model training by default unless users opt out, posing the risk of confidential data entering the system. Our EU provider never trains on user data, ensuring full data sovereignty.
- Transparency & control
EU-hosted AI tools offer clearer data processing agreements, self-destructing files and EU-based support for compliance queries. US providers often have opaque policies (e.g. unclear data retention, third-party sharing), making it harder to prove compliance to clients or regulators.
What about the EU AI Act?
Great question. As enforcement of the EU AI Act is rolled out, keeping a “human in the loop” will become a new priority, mostly to avoid the “machine generated” label. This will require more transparency about the use of AI, perhaps even driving more business back to us humans. Stay tuned for a future blog article on this!
Need help with copywriting or editing by humans? Contact us!
Feature image courtesy of Nickolas Nikolic on Unsplash
