Is processing user data with Core ML considered 'data processing' under GDPR?

Yes — GDPR's definition of 'processing' includes any operation performed on personal data, including analysis and inference. On-device Core ML inference on personal data (photos, messages, health data) is technically 'processing' under GDPR. However, because it occurs locally with no external transmission, your obligations are limited to: a lawful basis for the processing (consent or legitimate interest), mention in your privacy policy, and respecting data subject rights to deletion of any stored ML results.

Insights / On-Device AI

On-Device AI Privacy Compliance for Apple Platforms

Q: Does on-device AI eliminate GDPR obligations?

On-device inference eliminates the data transfer and third-party data processor obligations for inference itself — no personal data leaves the device, so no GDPR data transfer consent is required for the AI computation. However, GDPR still applies to: any ML-generated data stored locally (e.g., classified records, inferred preferences), any analytics about AI feature usage you transmit, and model update downloads if they're linked to user identifiers.

Q: What should I include in App Store privacy nutrition labels for a Core ML app?

You must declare any data that your app collects and uses, including locally generated ML data if it's used for identifying or profiling users. Specifically: user-generated content processed by ML (if retained), inferred attributes used for analytics or advertising, any network calls transmitting user data to update models, and crash/performance data linked to ML feature usage. On-device-only inference with no transmissions typically results in minimal nutrition label requirements.

On-device AI is the strongest privacy architecture available — but it doesn't eliminate all compliance obligations. Here's what remains under GDPR, CCPA, and Apple's own requirements.

By Ehsan Azish · 3NSOFTS · March 2026

Why on-device AI is the strongest privacy architecture

When AI inference runs on the user's device, user data never leaves the device to be processed externally. This has concrete privacy and compliance implications:

—No third-party data processor relationship. Under GDPR, sending user data to a cloud AI provider (OpenAI, Google, AWS) creates a data processor relationship requiring a Data Processing Agreement and, for EU users, compliance with transfer mechanisms. On-device inference creates no such relationship.
—No data transfer consent required for inference. You cannot use the legal basis of “legitimate interest” to send user photos to a cloud AI API without telling users. On-device inference eliminates the transmission entirely — no consent needed for the inference step.
—App Store privacy nutrition label is minimal. Apps that process data only on-device with no external transmissions have very little to declare. Apps using cloud AI APIs must declare every data category sent to those APIs.
—No CCPA “sale” of personal information. Data processed locally is never sold, shared, or disclosed to third-party AI providers — a significant CCPA compliance simplification.

Apple's privacy whitepaper explicitly positions on-device processing as the gold standard: “Processing data on-device means it stays where it belongs — with the user.”

What compliance obligations remain

On-device inference reduces compliance obligations significantly but doesn't eliminate them. Here's what still applies:

GDPR obligations that persist

GDPR defines “processing” broadly — it includes any operation on personal data, including local analysis and inference. On-device Core ML inference on personal data (photos, health data, messages) technically constitutes GDPR processing. Remaining obligations:

—Lawful basis. You need a lawful basis for processing personal data with ML, even locally. For most consumer apps, this is either consent (explicitly obtained) or legitimate interest (where your interest is proportionate and doesn't override user rights).
—Privacy policy disclosure. Your privacy policy must describe what ML processing occurs locally — what data is analyzed, what's inferred, and how long results are stored.
—Right to deletion. If your app persists ML inference results (e.g., classification scores, inferred categories), users have the right to request deletion of that derived data. Build a deletion path for stored ML results.
—Automated decision-making. GDPR Article 22 applies to solely automated decisions with significant effects. If your AI makes consequential decisions about users, you may need to provide human review mechanisms.

App Store privacy nutrition labels

Apple's App Privacy Details require disclosure of data collected and how it's used. For on-device AI apps, what you must declare depends on what leaves the device:

Scenario	Nutrition label requirement
All inference on-device, no transmissions	Minimal — only crash reporting (if any)
Model updates downloaded from server	Declare if model URL is personalized to user
Anonymous analytics on ML feature usage	Declare analytics data, mark as not linked to identity
ML results synced via CloudKit	Declare data types synced
Federated learning / model contribution	Declare data aggregation; consent likely required

Sensitive data categories and special handling

Certain personal data categories trigger heightened obligations under GDPR Article 9 and platform-specific rules, regardless of whether processing is on-device or cloud:

—Health data. Processing health data with Core ML (e.g., HealthKit samples) requires explicit consent in the EU. Apple HealthKit already enforces this at the API level — you cannot access HealthKit data without explicit user authorization.
—Biometric data. Face recognition, voice identification, fingerprint analysis — even on-device — may require explicit consent and impact your App Privacy label. Apple's own Face ID data never leaves the device's Secure Enclave, setting the standard.
—Age-inappropriate inference. If your ML model infers user attributes (age, location patterns, political views), consider whether inferred attributes require the same protections as the source data they were derived from.

Privacy as product differentiation

In categories where users handle sensitive data — health, finance, legal, productivity — on-device AI is a genuine product advantage. “All AI runs on your device, nothing is sent to our servers” is a verifiable, auditable claim. Unlike a privacy policy which users must trust, on-device architecture can be verified through network monitoring.

Communicating this correctly matters. Don't bury it in the privacy policy. Surface it where users make decisions:

—App Store description: “All analysis runs on your device using Apple Neural Engine”
—Onboarding screen with a clear, non-legal explanation of what stays on-device
—Privacy nutrition label: “No data collected” (if accurate) is prominently displayed by App Store

Apps with “No data collected” nutrition labels rank differently in privacy-conscious search queries and convert better in health and productivity categories. This is a measurable revenue advantage, not just ethics.

Common questions

Does on-device AI eliminate GDPR obligations?

On-device inference eliminates data transfer and third-party processor GDPR obligations for inference itself. However, GDPR still applies to any ML-generated data stored locally, any usage analytics you transmit, and model updates linked to user identifiers. The compliance burden is dramatically reduced, but not eliminated.

What should I include in App Store privacy nutrition labels for a Core ML app?

You must declare data collected and transmitted, including ML-derived data if used for profiling and any network transmissions related to AI features. On-device-only inference with no transmissions typically results in 'No data collected' — the best possible label.

Is Core ML inference on personal data considered 'processing' under GDPR?

Yes — GDPR's 'processing' includes local analysis. On-device Core ML inference on personal data has a lawful basis requirement, privacy policy disclosure obligation, and data subject rights implications. The key advantage: no external data transfer means significantly reduced compliance scope and no cross-border transfer issues.

On-Device AI for Apple Platforms: The Complete Guide

AI-Native iOS Architecture

SwiftUI + Core ML Architecture Patterns

Apple Foundation Models vs Core ML

Privacy-first iOS development

We build iOS apps where privacy is an architectural decision, not a policy afterthought. On-device AI is the foundation.

Work with us →On-Device AI Guide