Privacy and Data Protection in the Age of AI-Powered Cybersecurity: A Comparative Legal Approach

Abstract

The development of artificial intelligence-based cybersecurity systems has changed how public and private organisations identify, prevent, and manage digital threats. However, the use of these systems leads to a marked increase in the processing of personal data, often using persistent monitoring, profiling, and automated decision-making, that directly tests the boundaries set by data protection law. This article contends that the operational logic of AI-powered cybersecurity, which favours large-scale, uninterrupted data collection and predictive risk profiling for maximum security gains, generates acute conflict with key principles of the General Data Protection Regulation (GDPR), such as data minimisation (Article 5(1)(c)) and restrictions on automated decision-making (Article 22). By specifying these structural points of friction in the abstract, the paper anchors its normative claim and clarifies the stakes of the debate from the outset. This analysis is carried out using a doctrinal and comparative approach, comparing the legal framework of the European Union with Albanian legislation. The focus is on the General Data Protection Regulation (GDPR), the EU Regulation on Artificial Intelligence (AI Act), the Data Act, the new eIDAS framework, and the Albanian Law no. 124/2024 “On the Protection of Personal Data”. The article claims that the current regulatory framework only partially reconciles the operational logic of AI-powered cybersecurity with the normative logic of personal data protection. In this sense, privacy should not be understood solely as a limitation on technological monitoring, but as a structural prerequisite for the legitimacy, credibility, and sustainability of cybersecurity systems based on artificial intelligence. The paper concludes with proposals de lege ferenda for strengthening normative coherence, algorithmic accountability, and human oversight in the use of AI in cybersecurity. Key policy recommendations include the introduction of a dedicated regulatory framework for the use of AI in cybersecurity in Albania, the establishment of mandatory augmented Data Protection Impact Assessments (DPIAs) for high-impact AI-driven systems, the adoption of clear standards on transparency, auditability, and human monitoring, and the separation of security and investigative functions in the use of AI-produced data for criminal procedures. GDPR is Regulation (EU) 2016/679, AI Act is Regulation (EU) 2024/1689, Data Act is Regulation (EU) 2023/2854, the new eIDAS rules were adopted with Regulation (EU) 2024/1183, while in Albania, the central basis is Law no. 124/2024.

Received: 17 January 2026 / Revised: 24 February 2026 / Accepted: 7 March 2026 / Published: 25  March 2026