ISSN 2663-0583 (Online)
ISSN 2663-0575 (Print)
  • Home
  • THE EU ARTIFICIAL INTELLIGENCE ACT AND DATA PROTECTION CHALLENGES FOR NON-EU CITIZENS: COMPARATIVE INSIGHTS FROM THE WESTERN BALKANS
"

THE EU ARTIFICIAL INTELLIGENCE ACT AND DATA PROTECTION CHALLENGES FOR NON-EU CITIZENS: COMPARATIVE INSIGHTS FROM THE WESTERN BALKANS

1. Introduction. – 2. Methodology and Scope of Research. – 3. Limitations of the Study. – 4. Literature Review. – 5. Transfer Of Personal Data and Alignment of Albanian Legislation with EU Standards. – 6. Automated Profiling Under AI Systems: Legal Risks and Individual Protection. – 7. The EU Artificial Intelligence Act and Its Interaction with Data Protection Standards. – 8. Empirical Insights from the Survey. – 9. Conclusions.

Full Text:

DOI

HTML Abstract About Author(s) References Reviews Українською

Background: In the era of artificial intelligence, data protection and privacy rights have become critical components of the European Union’s legal order. This study examines the interaction between the EU Artificial Intelligence Act of 2024 and the General Data Protection Regulation, focusing on their implications for non-EU countries, particularly Albania. The adoption of the EU Artificial Intelligence Act has reshaped the legal framework governing artificial intelligence and personal data protection in Europe. However, the practical implications of these instruments for non-EU citizens, particularly in Western Balkan countries as EU candidate countries, remain underexplored.

Methods: The study adopts a combined comparative legal and empirical methodology. It integrates a comparative legal analysis to evaluate the extent of alignment between domestic legislation and EU standards, a questionnaire-based survey of 178 respondents to assess public awareness and perceptions of privacy rights, and an analysis of attitudes towards the risks associated with artificial intelligence and personal data processing. It provides quantitative evidence that complements the legal analysis by illustrating how regulatory frameworks are perceived and experienced in practice. Based on the questionnaire data identifying Meta Platforms as the most widely used social media platform in Albania, the study includes a case study designed as an experimental rights-exercise test involving a data-access request submitted to the company, aimed at examining the cross-border enforceability of data-subject rights.

Results and Conclusions: The findings reveal a significant gap between formal legislative harmonisation with EU data-protection and AI standards and their effective implementation in Western Balkan candidate countries. Survey evidence from 178 Albanian respondents indicates limited awareness of personal data rights, low trust in institutional protection, and widespread uncertainty about AI-driven profiling and data use. The case study further demonstrates challenges in enforcing rights against foreign entities.  Strengthening supervisory mechanisms and adopting the EU’s risk-based approach to AI regulation are recommended to ensure effective protection of personal data in candidate countries. Effective data protection measures for non-EU citizens require strengthening supervisory cooperation, enhancing enforcement capacity, and adopting the EU AI Act’s risk-based governance model in domestic law.

Abstract

Background: In the era of artificial intelligence, data protection and privacy rights have become critical components of the European Union’s legal order. This study examines the interaction between the EU Artificial Intelligence Act of 2024 and the General Data Protection Regulation, focusing on their implications for non-EU countries, particularly Albania. The adoption of the EU Artificial Intelligence Act has reshaped the legal framework governing artificial intelligence and personal data protection in Europe. However, the practical implications of these instruments for non-EU citizens, particularly in Western Balkan countries as EU candidate countries, remain underexplored.

Methods: The study adopts a combined comparative legal and empirical methodology. It integrates a comparative legal analysis to evaluate the extent of alignment between domestic legislation and EU standards, a questionnaire-based survey of 178 respondents to assess public awareness and perceptions of privacy rights, and an analysis of attitudes towards the risks associated with artificial intelligence and personal data processing. It provides quantitative evidence that complements the legal analysis by illustrating how regulatory frameworks are perceived and experienced in practice. Based on the questionnaire data identifying Meta Platforms as the most widely used social media platform in Albania, the study includes a case study designed as an experimental rights-exercise test involving a data-access request submitted to the company, aimed at examining the cross-border enforceability of data-subject rights.

Results and Conclusions: The findings reveal a significant gap between formal legislative harmonisation with EU data-protection and AI standards and their effective implementation in Western Balkan candidate countries. Survey evidence from 178 Albanian respondents indicates limited awareness of personal data rights, low trust in institutional protection, and widespread uncertainty about AI-driven profiling and data use. The case study further demonstrates challenges in enforcing rights against foreign entities.  Strengthening supervisory mechanisms and adopting the EU’s risk-based approach to AI regulation are recommended to ensure effective protection of personal data in candidate countries. Effective data protection measures for non-EU citizens require strengthening supervisory cooperation, enhancing enforcement capacity, and adopting the EU AI Act’s risk-based governance model in domestic law.

About Authors

Fjorida Ballauri 

PhD, Faculty of Security and Investigation, Security Academy of Albania, Albania

Fjorida.Ballauri@asp.gov.al 

fjori.k@gmail.com

https://orcid.org/0009-0002-7121-6266

Corresponding author, solely responsible for preparing the manuscript.

 

Competing interests: No competing interests were disclosed.

 

Disclaimer: The author declares that her opinions and views expressed in this manuscript are free from any impact of any organisations.

Rights and Permissions

Copyright: © 2026 Fjorida Ballauri. This is an open-access article distributed under the terms of the Creative Commons Attribution License (CC BY 4.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.

Editors

Managing editor – Mag. Bohdana Zahrebelna. English Editor Robert Reddin. Ukrainian language Editor – Liliіa Hartman.

References

1.      Ballauri F, ‘The Questionnaire on the Awareness and Experience of Albanian Citizens Regarding the Protection of Personal Data and Privacy in the Digital Age’ (Google Forms, 2025) https://docs.google.com/forms/d/1rXEv9an-fZNGD79VSr5K52HUu2KDDLX0AF05DLFwVOQ/edit#responses accessed 25 January 2026

2.      Berreby D, ‘Click to Agree with What? No One Reads Terms of Service, Studies Confirm’ The Guardian (London, 3 March 2017) https://www.theguardian.com/technology/2017/mar/03/terms-of-service-online-contracts-fine-print?utm_source=chatgpt.com accessed 25 January 2026

3.      Bryant M, ‘Denmark to tackle deepfakes by giving people copyright to their own features’ The Guardian (London, 27 June 2025) https://www.theguardian.com/technology/2025/jun/27/deepfakes-denmark-copyright-law-artificial-intelligence accessed 25 January 2026.

4.      Bryman A, Social Research Methods (5th edn, OUP 2016)

5.      Cane P and Kritzer HM (eds), The Oxford Handbook of Empirical Legal Research (OUP 2010)

6.      Chandonnet H, ‘Sam Altman is Worried Some Young People Have an Emotional Over Reliance on ChatGPT when Making Decisions’ (Business Insider, 23 July 2025) https://www.aol.com/sam-altman-worried-young-people-181115911.html accessed 25 January 2026

7.      Creswell JW and Creswell JD, Research Design: Qualitative, Quantitative, and Mixed Methods Approaches (5th edn, SAGE 2018)

8.      Czerniawski M and Svantesson D, ‘Challenges to the Extraterritorial Enforcement of Data Privacy Law – EU Case Study’ in Dataskyddet 50 år – historia, aktuella problem och framtid (Stiftelsen Juridisk Fakultetslitteratur 2024) 127, doi:10.53292/bd1fa11c.f5b3afbe

9.      Dillman DA, Smyth JD and Christian LM, Internet, Phone, Mail, and Mixed-Mode Surveys: The Tailored Design Method (4th edn, Wiley 2014)

10.   González Fuster G and Nadolna Peeters M, Person Identification, Human Rights and Ethical Principles: Rethinking Biometrics in the Era of Artificial Intelligence (European Parliament EPRS 2021) doi:10.2861/384495

11.   Gstrein OJ and Zwitter A, ‘Extraterritorial Application of the GDPR: Promoting European Values or Power?’ (2021) 10(3) Internet Policy Review, doi:10.14763/2021.3.1576

12.   Hacker P, ‘Teaching Fairness to Artificial Intelligence: Existing and Novel Strategies against Algorithmic Discrimination under EU Law’ (2018) 55(4) Common Market Law Review 1143, doi:10.54648/cola2018095

13.   Heijden J, ‘Risk as an Approach to Regulatory Governance: An Evidence Synthesis and Research Agenda’ (2021) 11(3) SAGE Open 21582440211, doi:10.1177/21582440211032202

14.   Joseph J, ‘Altman Warns that your ChatGPT Conversations Can (and Will) Be Used Against You in Court’ (PC Mag, 4 August 2025) https://www.pcmag.com/news/altman-anything-you-say-to-chatgpt-can-and-will-be-used-against-you-in accessed 25 January 2026.

15.   Jovanoviq N, ‘Meta trajnon pa paralajmërim inteligjencën artificiale mbi të dhënat e qytetarëve të Ballkanit’ (Radio Evropa e Lirë, 5 August 2024) https://www.evropaelire.org/a/meta-trajnon-paparalajmerim-inteligjencen-artificiale-mbi-te-dhenat-e-qytetareve-ballkanit-/33066127.html accessed 25 January 2026

16.   Kuner C, ‘Extraterritoriality and Regulation of International Data Transfers in EU Data Protection Law’ (2015) 5(4) International Data Privacy Law 235, doi:10.1093/idpl/ipv019

17.   Svantesson DJB, Solving the Internet Jurisdiction Puzzle (OUP 2017)

18.   Veale M and Zuiderveen Borgesius F, ‘Demystifying the Draft EU Artificial Intelligence Act’ (2021) 22(4) Computer Law & Security Review 97, doi:10.9785/cri-2021-220402

19.   Wendehorst C and Duller Y, Biometric Recognition and Behavioral Detection: Assessing the Ethical Aspects of Biometric Recognition and Behavioral Detection Techniques with a Focus on Their Current and Future Use in Public Spaces (European Union 2021)

20.   Yin RK, Case Study Research and Applications: Design and Methods (6th edn, SAGE 2018)

21.   Zuiderveen Borgesius F, ‘Strengthening Legal Protection against Discrimination by Algorithms and Artificial Intelligence’ (2020) 24(10) The International Journal of Human Rights 1572, doi:10.1080/13642987.2020.1743976

Reviews for article

Add a Review

Reviews are moderated and will be published after verification!
All comments not related to reviews of the article will be deleted!

АНОТАЦІЯ УКРАЇНСЬКОЮ МОВОЮ

 

Дослідницька стаття

 

АКТ ЄС ПРО ШТУЧНИЙ ІНТЕЛЕКТ ТА ПРОБЛЕМИ ЗАХИСТУ ДАНИХ ДЛЯ ГРОМАДЯН КРАЇН, ЩО НЕ ВХОДЯТЬ ДО ЄС: ПОРІВНЯЛЬНИЙ ДОСВІД ЗАХІДНИХ БАЛКАН

 

Фйорида Баллаурі

АНОТАЦІЯ

Вступ. В епоху штучного інтелекту захист даних та права на приватність стали критично важливими компонентами правового порядку Європейського Союзу. Це дослідження розглядає взаємодію між Актом ЄС про штучний інтелект 2024 року та Загальним регламентом про захист даних, зосереджуючись на їхньому впливі на країни, що не входять до ЄС, зокрема Албанію. Ухвалення Акту ЄС про штучний інтелект змінило правову базу, що регулює ШІ та захист персональних даних у Європі. Однак практичні наслідки цих інструментів для громадян країн, що не входять до ЄС, особливо країн Західних Балкан як країн-кандидатів на вступ до ЄС, залишаються недостатньо вивченими.

Методи. У дослідженні використано комбіновану порівняльно-правову та емпіричну методологію. Воно поєднує порівняльно-правовий аналіз для оцінки ступеня узгодженості національного законодавства зі стандартами ЄС, анкетне опитування 178 респондентів для оцінки обізнаності громадськості та сприйняття прав на приватність, а також аналіз ставлення до ризиків, пов'язаних зі штучним інтелектом та обробкою персональних даних. Воно надає кількісні докази, що доповнюють правовий аналіз, ілюструючи, як регуляторні межі сприймаються та використовуються на практиці. На основі даних анкети, які визначають Meta Platforms як найпоширенішу платформу соціальних мереж в Албанії, у статті було проведено тематичне дослідження, розроблене як експериментальний тест на здійснення прав, що містить запит на доступ до даних, поданий компанії, з метою вивчення транскордонної можливості забезпечення виконання прав суб'єктів даних.

Результати та висновки. Результати дослідження виявляють значний розрив між формальною гармонізацією законодавства зі стандартами ЄС щодо захисту даних та штучного інтелекту та їх ефективним впровадженням у країнах-кандидатах Західних Балкан. Дані опитування 178 албанських респондентів свідчать про обмежену обізнаність щодо прав на персональні дані, низьку довіру до інституційного захисту та широку невизначеність щодо профілювання та використання даних на основі штучного інтелекту. Тематичне дослідження також демонструє проблеми, що повʼязані з дотриманням прав щодо іноземних організацій. Для забезпечення ефективного захисту персональних даних у країнах-кандидатах рекомендується посилення механізмів нагляду та впровадження ризик-орієнтованого підходу ЄС до регулювання ШІ. Ефективні заходи захисту даних для громадян країн, що не входять до ЄС, вимагають посилення співпраці у сфері нагляду, посилення правоохоронних можливостей та впровадження ризик-орієнтованої моделі управління Акт ЄС про ШІ у внутрішньому законодавстві.

Ключові слова. Штучний інтелект, законодавство ЄС, права на захист даних, ризик, конфіденційність.

Keywords

  • artificial intelligence, EU legislation, data protection rights, risk, privacy

Publication history

  • DETAILS FOR PUBLICATION

    Date of submission: 04 Feb 2026

    Date of acceptance: 27 Apr 2026

    Online First Publication: 12 June 2026

    Рublication: Aug 2026

    Was the manuscript fast-tracked? - No

    Number of reviewer reports submitted in the first round: 2 reports

    Number of revision rounds: 1 round with major revisions
     

    Technical tools were used in the editorial process

    Plagiarism checks - Turnitin from iThenticate

    https://www.turnitin.com/products/ithenticate/

    Scholastica for Peer Review

    https://scholasticahq.com/law-reviews

    AI DISCLOSURE STATEMENT

    The author confirms that no artificial intelligence tools or services were used at any stage of

    writing, translating, editing, or analysing content for this manuscript.

    FUNDING AND APC STATEMENT

    The author received no specific grant or external funding for the research and publication

    of this article. Consequently, the APC was partially waived (50%) by the publisher under

    the AIP funding strategy, in accordance with the AJEE Charges Policy for authors from

    Lower-Middle-Income countries (as per the World Bank classification). The balance was

    covered by the author.

How to cite it?

  • Ballauri F, ‘The EU Artificial Intelligence Act and Data Protection Challenges for Non-EU Citizens: Comparative Insights from the Western Balkans’ (2026) 9 (3) Access to Justice in Eastern Europe <https://doi.org/10.33327/AJEE-18-9.3-a0001992>