Summary: Large language models and text-to-image systems offer value for surgical education, counseling, and decision support. Yet, European teams frequently face legal barriers that US investigators do not, especially when patient images or other sensitive health data are processed by third-country artificial intelligence (AI) services. Europe’s General Data Protection Regulation explains this divergence, and the European Union (EU) AI Act imposes strict rules on special-category health data, whereas US frameworks (Health Insurance Portability and Accountability Act/the Common Rule) allow broader use of de-identified data and pose no cross-border transfer constraints. We use a recent Plastic and Reconstructive Surgery study on AI-generated lip-lift counseling images as a concrete example of work that is straightforward in the United States but risky in the EU if done via public, non-EU AI services. We then present legal and practical ways for EU researchers, when using EU–US Data Privacy Frameworks or an EU-hosted enterprise service with a data-processing agreement, to keep data in EU regions on Microsoft Azure/Google Cloud Platform or run on open-source models on your own servers and apply strict de-identification/anonymization. We conclude with policy recommendations for regulators to clarify research exceptions, set up supervised “sandboxes,” and publish practical healthcare guidance under the AI Act.
Holm et al. (Wed,) studied this question.