This article accompanies Hour 1: Global Privacy Law Updates in our full-day CPD programme on XpertAcademy. Completion of the full one-hour session, including the related learning materials, contributes to the one-hour CPD certificate issued for that session. You can access the course here: CPD Event A: Full-Day Regulatory Privacy Training.
AI is now part of how people complain.
That does not make the complaint invalid. A person may use AI because they are overwhelmed, because they need help with language, because they are trying to organise a difficult issue, or because a tool has made it easier to turn frustration into formal correspondence. The organisation is still dealing with a person exercising rights.
But the operational reality has changed.
Privacy teams are seeing longer correspondence, more formal language, broader allegations, repeated follow-ups and complaints that mix real data protection issues with generated legal framing. Supervisory authorities are beginning to report the same pressure. In some jurisdictions, regulators are expressly linking rising complaint workloads to AI-assisted complaint drafting. In others, the language is less direct, but the surrounding pattern is clear: more complaints, more complex digital services, more AI governance work and more need for disciplined handling.
The pain point for organisations is not only volume. It is the loop.
The loop problem
A person sends an AI-assisted complaint, DSAR challenge or wider data subject rights request. The organisation responds. The response is then used to generate a new letter, now asking for point-by-point replies, challenging the language used, expanding the scope or re-presenting the same issue with greater confidence.
Internal teams can then get pulled into the loop. Privacy replies to one version. Legal rewrites the next. Customer service responds separately. IT is asked for additional searches. The DPO function is asked whether the matter has become regulatory risk. Before long, the organisation is no longer dealing cleanly with the original issue. It is managing a growing correspondence record.
That is where risk builds.
The danger is not that the person used AI. The danger is that the organisation loses control of the handling record. After several exchanges, it may become difficult to show what was requested, what scope was adopted, what evidence was reviewed, what was answered, what remained open and what was genuinely new.
If the matter later reaches a regulator, that evidence trail matters more than the style of the correspondence.
DPO perspective
AI-assisted complaints and rights requests should be handled with procedural fairness, but not procedural panic. The use of AI does not invalidate the request and should not be treated as evidence of bad faith. At the same time, organisations are entitled to identify the real data protection issue, answer the material points, document the evidence relied on, and bring repeated correspondence to a clear and fair close where no new data protection issue is raised.
Organisations should not rely on AI-detection tools, speculation or tone to decide whether a request is valid. The handling decision should be based on identity, authority, scope, substance and the applicable legal requirements.
The other side of that discipline is security. AI-assisted correspondence can be unusually polished, urgent and persuasive. It may also contain enough personal detail to feel credible. That should not cause the organisation to shortcut its ordinary procedure. Identity checks, representative authority checks, secure-channel rules and disclosure controls still matter. Where there is reasonable doubt about identity or authority, the organisation should verify proportionately before disclosing personal data or acting on a rights request. Compelling wording is not a substitute for verification.
Nor should AI assistance alone be treated as making a request manifestly unfounded, excessive or abusive. Repetition, burden, bad faith or disruptive behaviour may become relevant in some cases, depending on the legal framework and the facts. But the use of AI is not itself the threshold.
The better discipline is simple: do not let the drafting style displace the substance.
What regulators are saying
Some regulators are now saying directly that AI is affecting complaint handling.
The Irish Data Protection Commission’s 2025 annual report release reported a 45% increase in new cases from individuals and noted that many complaints involved people using AI, increasing the volume and complexity of documentation presented. That is significant because it connects AI use by complainants with real supervisory workload.
Austria’s Datenschutzbehorde also gives direct support for the trend. Its 2025 activity report includes a section on complaints created with AI or large language models. That point should be read carefully. The fact that a complaint is AI-assisted does not mean it is abusive, but the Austrian report is useful evidence that supervisory authorities are encountering AI-shaped complaint material in practice.
Several German regulators have made similar observations. Berlin’s data protection authority reported a sharp increase in submissions and said AI chatbots can make data protection authorities more visible and make it easier to formulate complaints. Hamburg’s 2025 report links complaint pressure both to AI-assisted complaint formulation and to poor digital customer service, including automated support journeys that leave people unable to resolve their issue. Lower Saxony reported a 70% complaint increase and said search-integrated AI chatbots can point users toward supervisory authorities and suggest complaint letters.
Other regulators are better treated as adjacent context, not direct evidence of AI-assisted complaint drafting.
The Netherlands adds a related customer-service angle. The Dutch Authority for Consumers and Markets and the Dutch Data Protection Authority have warned that chatbots should not fully replace human contact in customer service and have sought input on the obstacles and risks people face when customer support is automated. That does not show AI-assisted complaint drafting, but it supports the operational loop point: poor chatbot or automated support journeys can make rights handling and complaint resolution harder.
France’s CNIL, Spain’s AEPD and Belgium’s APD/GBA are also relevant as adjacent pressure. Their 2025 materials point to high or rising complaint volumes, AI governance and increasingly complex supervisory work. They should not be cited as saying the same thing as the DPC or Austrian DSB on AI-assisted complaints. They are useful because they show the wider environment in which complaint handling, digital services and AI governance are becoming more demanding.
Italy is relevant in the same broader sense. The Garante’s 2025 annual-report materials describe a year shaped by artificial intelligence, including issues such as DeepSeek, deepfakes, AI in schools, biometrics, health and workplace AI. That is AI-governance context, not direct AI-assisted complaint evidence.
The UK also belongs in the discussion, even though it is outside the EU. The ICO’s data protection complaints guidance gives a practical process frame: organisations should provide a way to make data protection complaints, acknowledge complaints, make appropriate enquiries, keep people informed and provide an outcome. That structure is useful for AI-assisted complaints because it keeps the organisation focused on process, evidence and resolution rather than the volume or confidence of the wording.
A worked example: the six-page DSAR challenge
A person submits a DSAR. The organisation searches the relevant customer account system, complaint correspondence and support records. It applies redactions for third-party personal data and sends a response.
Two weeks later, the person sends a six-page challenge. The letter refers to incomplete searches, unlawful redactions, failure to provide metadata, inadequate explanation, accountability failures and possible regulatory escalation. The language is polished and formal. Some points are relevant. Others are generic. A few legal references are not quite right.
The weak response is to answer every sentence. That creates a long reply, which may simply generate another long challenge.
The stronger response is to classify and anchor the issue.
The real points may be these: the person believes the search scope was too narrow, they want to understand why third-party names were redacted, and they think a particular support interaction is missing. Those are material data protection points. The organisation should review the search record, confirm the systems searched, check the missing support interaction, explain the redaction approach and correct the position if the review identifies a gap.
It does not need to debate every generated allegation. It does need to show that it understood and reviewed the substance.
If a further follow-up repeats the same points without raising anything new, the organisation can say that it has reviewed the matter, identify the points already answered, confirm whether any additional disclosure or correction has been made, and explain that no further substantive response will be provided unless a new or specific data protection issue is identified.
That is not dismissive. It is controlled handling.
How to triage without losing fairness
The first step is classification. A single AI-assisted message may contain a DSAR, an erasure request, an objection, a complaint about prior handling, a customer service issue and a threat to complain to a regulator. If those issues are left tangled together, the organisation will struggle to manage timeframes, evidence and ownership.
A useful triage note should record what has been recognised and what route it follows. For example, the organisation may treat part of the correspondence as a DSAR complaint, part as a rectification request and part as service dissatisfaction. That classification should be explained internally and, where helpful, reflected in the response.
Clarification has a place, but it must be used carefully. Where the organisation genuinely cannot understand the request or cannot proceed without narrowing the scope, it should ask promptly and specifically. Clarification should not become delay. It should not be used to avoid recognising a valid rights request or complaint where the substance is already clear enough to handle.
The same applies to verification. Procedure should be followed carefully, particularly where a request asks for access to personal data, disclosure to a new address, action through a representative, or urgent release of information. AI-assisted wording can create a sense that the organisation must respond immediately and extensively. The safer approach is to acknowledge the request, preserve the timeframe, and complete the proportionate identity or authority checks required by the organisation’s rights-handling process.
In many cases, the better approach is to state the organisation’s reasonable interpretation and proceed. For example:
We understand your request to relate to personal data held in connection with your customer account and your complaint of 14 May. We will process it on that basis. If you intended to include a different system, product or relationship, please identify that specifically.
This gives the person a chance to correct the scope without allowing the entire handling cycle to restart unnecessarily.
Evidence is the control
The strongest way to manage AI-assisted complaints is not better wording. It is better evidence linkage.
For a DSAR complaint, the reviewer should be able to connect the complaint to the original request, identity checks, systems considered, search approach, records reviewed, redaction rationale, restrictions or exemptions applied, response letter, disclosure bundle, decision notes, internal approvals and follow-up correspondence.
For a complaint about processing, the evidence may sit elsewhere: a privacy notice, record of processing activity, lawful basis assessment, legitimate interests assessment, DPIA, vendor record, data sharing arrangement, retention schedule, incident record or system owner decision.
This is where many organisations struggle. The response may be carefully drafted, but the underlying record is scattered across emails, case tools, spreadsheets, local folders and ticketing systems. If the person continues to challenge the position, the organisation has to reconstruct the history each time.
That is how loops become expensive.
It is also why AI-assisted complaints are a governance issue, not only an inbox issue. If repeated complaints expose the same weak point, such as poor redaction records, unclear search logic, chatbot support failures, missing ownership or fragmented case notes, that pattern should feed privacy programme reporting. This is where the issue connects to privacy programme metrics as well as regulator updates.
A practical handling model
| Stage | What to do | Evidence to keep |
|---|---|---|
| Intake | Recognise the rights request or complaint regardless of drafting style. | Date received, channel, requester, identity or authority status. |
| Classify | Separate DSAR, erasure, rectification, objection, complaint and service issues. | Classification note and owner. |
| Scope | Define the reasonable interpretation of the request or ask targeted clarification. | Scope note, systems or processing activities in scope. |
| Review | Examine the evidence behind the challenged decision or processing activity. | Search record, decision rationale, system owner input, legal/DPO review where needed. |
| Respond | Answer the material data protection points in plain language. | Response copy, disclosure bundle, redaction or refusal rationale. |
| Close | Identify what has been answered and whether any new issue remains. | Closure note, repeated-point log, escalation/signpost record. |
This model does not require heavy new machinery. It requires discipline. The same approach supports GDPR accountability, UK complaint-handling expectations and practical regulator-response readiness.
Closing the loop
Closing the loop does not mean refusing to engage. It means identifying when the organisation has answered the data protection issue and when further correspondence is repeating a point already addressed.
A closure response should normally do four things: state the data protection issues understood, confirm what has already been answered, identify whether any new issue has been raised, and explain what will happen next.
For example:
We have considered your follow-up. The data protection issues we understand you to be raising are the scope of the search carried out for your access request, the redactions applied to third-party personal data, and the explanation provided in our response dated [date]. We addressed those points in our response dated [date] and have reviewed them again against the handling record. Your latest correspondence does not appear to raise a new data protection issue requiring a further substantive response. If there is a different or specific data protection issue you wish us to consider, please identify it clearly and we will review whether it requires a further response.
That wording is firm, but it preserves fairness. It leaves room for a genuinely new issue. It avoids accusing the person of using AI. It avoids prolonged debate about irrelevant framing. It also creates a record that a regulator can understand.
What DPOs and senior teams should put in place
DPOs and privacy leads should not wait until AI-assisted correspondence becomes a crisis. They should build the handling model into ordinary rights and complaints processes.
The most useful controls are practical ones: intake guidance for template-heavy or AI-assisted correspondence, classification rules for mixed complaints and rights requests, clear ownership between privacy, legal, customer operations, HR, IT and security, proportionate identity checks, a scope-setting method for broad requests, evidence-linking rules for DSAR and complaint records, response templates that answer the issue without over-answering the drafting, closure criteria for repeated correspondence and escalation triggers for DPO, legal or senior review.
Senior management reporting should also move beyond simple volume. Useful measures include repeated correspondence, reopened complaints, matters escalated to the DPO, complaints linked to specific digital journeys, complaints linked to AI or chatbot support, and matters where evidence had to be reconstructed after the fact.
A sudden rise in complaints may not mean the privacy team is failing. It may mean people are finding new routes to exercise rights. But if the same themes keep appearing, or if complaints repeatedly arise from the same system, vendor or support process, that is a governance signal.
Our view
AI-assisted complaints and rights requests are not going away. They are part of the new privacy operations environment.
Handled badly, they create correspondence loops, internal escalation, over-lawyered responses and weak records. Handled well, they can be triaged fairly, answered proportionately and closed clearly.
The organisation should not treat AI assistance as a reason to downgrade a person’s rights. It should also avoid letting generated wording control the handling process. The answer is disciplined privacy operations: classify the issue, link the evidence, answer the material points and close the loop where no new data protection issue remains.
For DPOs, this is a good example of why modern privacy governance needs to be operational as well as advisory. The issue sits across rights handling, complaint management, customer service, IT, legal review, AI governance and regulator-response readiness. A strong DPO function helps keep those parts connected.
If your organisation is seeing repeated DSAR challenges, AI-assisted complaints, difficult rights-request correspondence or regulator-escalation risk, XpertDPO can support the review through DPO Support, DSAR Support and, where the issue relates to AI systems or automated service journeys, AI/DPIA support.
This article is intended to support the learning covered in Hour 1 of our XpertAcademy CPD programme. The relevant CPD certificate is issued for completion of the full one-hour session on XpertAcademy, rather than for reading this article on its own. You can return to the course here: CPD Event A: Full-Day Regulatory Privacy Training.
Sources
- Data Protection Commission, Data Protection Commission publishes 2025 Annual Report
- Austrian Datenschutzbehorde, Datenschutzbericht 2025
- Berlin Commissioner for Data Protection and Freedom of Information, Number of data protection submissions increased by 50 percent
- Hamburg Commissioner for Data Protection and Freedom of Information, Activity Report Data Protection 2025
- Lower Saxony Commissioner for Data Protection, Data protection complaints at record level
- Dutch Authority for Consumers and Markets, Call from ACM and AP: please share your opinion on chatbots in customer service
- UK Information Commissioner’s Office, How to deal with data protection complaints
- CNIL, Annual Report 2025
- AEPD, La Agencia recibio mas de 30.000 reclamaciones en 2025, un 64% mas
- EDPB, EDPB Annual Report 2025: Supporting stakeholders through guidance and dialogue
- EDPS, EDPS Annual Report 2025 release
- Swiss FDPIC, 33rd Annual Report 2025/2026
- Italian Garante, Annual report materials and AI supervisory context