Generative AI (GenAI) has clear potential in low-risk contexts—such as enhancing productivity, supporting research, and aiding professional workflows. Where it can serve as a powerful, time-saving tool.
But this begins to change dramatically when we enter high-risk arenas, particularly education, where minors are involved and formative learning, trust, and their rights need safeguarding. Any steps must be firmly anchored in the rule of law, regulatory compliance, and rigorous oversight—not wishful thinking or classical rhetoric.
The “OpenAI for Greece” rollout: groundbreaking or reckless?
On 5 September 2025, the Greek government formally inked a Memorandum of Understanding with OpenAI to pilot ChatGPT Edu in 20 secondary schools, alongside an AI-accelerator program for local startups.
In promotional remarks, OpenAI’s Chris Lehane evoked Greece’s legacy as the cradle of Western thought, citing “from Plato’s Academy to Aristotle’s Lyceum” as justification for introducing this untested tool into public education.
While the classical references are symbolic, they cannot substitute for the due diligence required when children’s development is involved.
Accountability, transparency, and children’s rights
Greece is a party to the UN Convention on the Rights of the Child. Article 12 obliges states to consult children, meaningfully consider their views when policies affect them, and conduct Child Rights Impact Assessments (CRIA). Before deploying GenAI in schools, the state should have conducted and published:
- A clear Child Rights Impact Assessment.
- A Data Protection Impact Assessment (DPIA) under GDPR.
- Transparent information about participation rights, oversight, and grievance mechanisms for parents, students, and educators.
However, until the time I write this article, we have seen no evidence of this crucial documentation.
Data-driven oversight, not slogans, must come first.
The elephant in the room: OpenAI’s regulatory track record
This is no mere hypothetical worry. In December 2024, Italy’s data protection authority (Garante) fined OpenAI €15 million for processing personal data without a proper legal basis, violating transparency principles, failing to disclose a March 2023 data breach, and lacking age verification to protect minors. OpenAI now faces regulators worldwide who demand absolute compliance with regulatory requirements.
What measures will Greek authorities take to prevent similar mistakes from occurring in Greece? And how will students and parents respond if they discover that the tools introduced into classrooms fail to fully protect children’s rights?
Is this pilot building on oversight or ignoring it?
Positioning high-risk tools as a pilot may risk repeating past EdTech missteps, where untested systems were introduced directly into classrooms. As Dr. Ioanna Noula, a childhood and education expert, clearly says, education cannot be a field trial. We must demand:
- Evidence of regulatory compliance under GDPR and the upcoming EU AI Act—including DPIA and child-rights assessments where applicable.
- Clear protocols for human oversight: Are educators trained to detect hallucinations, biases, and psychological risks? What fallback exists when ChatGPT fails or misleads?
- Independent oversight and audits are assessing early results, not glossy PR.
It is disheartening that the government appears not to have learned from past missteps—when the Greek DPA “identified significant violations of legislation on personal data protection” during the WebEx rollout to support e-learning during the pandemic. Once again, and quite ironically, it was our children who were placed at the center of experimentation.
That episode highlighted the dangers of rushing untested digital solutions into classrooms without proper safeguards. The current initiative raises concerns that similar challenges could arise again.
Contradiction of values: Protecting minors vs exposing to bias and hallucinations
As a society, we rightfully strive to shield minors from harmful online content—hate, disinformation, and explicit material. The Greek government had heavily advertised Kids Wallet over the previous months as a step to protect children from online risks, and they seem to have led the introduction of age verification across all platforms.
Yet, by introducing GenAI into classrooms without safeguards, we risk hallucinations, embedded biases, and misinformation. This tension isn’t just regrettable—it’s contradictory.
If we don’t equip teachers and students to question AI outputs critically, we may be enabling the very problems we aim to prevent.
Where is the digital and data-sovereignty angle?
The European Union champions digital and data sovereignty. Digital sovereignty and privacy are critical—especially for minors in public education.
However, if ChatGPT Edu operates under a U.S.-based provider, student data—even if stored in Europe—may still be subject to U.S. law enforcement requests under the CLOUD Act. The law compels U.S. companies to disclose data irrespective of location, and no storage location can completely insulate against such access.
Moreover, a thriving European AI ecosystem offers more sovereign, privacy-minded alternatives. Companies such as Mistral AI deliver generative AI in line with European values and regulations.
Did the government explore these European options? If not, why endorse a U.S. model vulnerable under U.S. jurisdiction instead of nurturing homegrown or European AI that better supports digital and data sovereignty?
Conclusion: Respect for innovation, respect for citizens
Let me be clear: I believe generative AI can enhance education—but only under the right conditions. Low-risk support tools are welcome; curriculum design and teacher productivity are valid use cases.
But deploying ChatGPT Edu in schools without visible impact assessments, data-sovereignty clarity, or mechanisms to protect and inform minors crosses into experimenting on children. That is a line that must not be crossed.
Performance optics such as celebratory emojis, nostalgic references, and AI as “the calculator of our time,” should not substitute for transparency and accountability. Transparency isn’t optional; it’s the cure to techno-utopianism.
If Greece wants to be a pioneer, authentic leadership means leading with caution, evidence, and ethics, not nostalgia and hype. Let’s insist on accountability, protection of minors, and real oversight before we applaud.
Anastasios Arampatzis is a cybersecurity content strategist, writer, and consultant with expertise in cybersecurity, digital identity, and regulatory compliance. Tassos has a strong background in creating thought leadership content, marketing materials, and strategic communications tailored to CISOs, security professionals, and business leaders. He has contributed to various cybersecurity publications and collaborates with organizations to develop compelling, insightful content that addresses industry challenges. He is a privacy advocate and a member of the ISC2 Hellenic Chapter. Before joining Bora, Tassos was an Hellenic Air Force Officer with a solid background on IT and Infosec.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.