The Department of Energy’s Argonne National Laboratory has launched a secure, shared AI inference platform built on idle GPU and accelerator clusters. By keeping data on‑premises, the service helps scientists use large language models without exposing sensitive research to public AI providers, but it also raises compliance questions under GDPR, CCPA and other privacy statutes.

Argonne Turns Spare Supercompute Into Private AI Inference Service for U.S. Researchers

What happened – On 27 May 2026 Argonne National Laboratory announced a new AI inference service that stitches together two under‑utilised clusters – the 192‑GPU Sophia system (Nvidia A100) and the Metis platform (32 SambaNova SN40L accelerators). The lab plans to add Nvidia GH200‑based Tara and B200‑based Minerva later this year. Researchers can access a menu of large language models (LLMs) – OpenAI’s GPT‑OSS, Google’s Gemma, Meta’s Llama, and custom variants such as AuroraGPT – through a web‑based chatbot portal powered by Open WebUI.

Why it matters legally – The service is marketed as a private alternative to commercial chatbots like ChatGPT. By keeping inference workloads inside the DOE’s secure network, Argonne aims to protect intellectual property, classified data, and personally identifiable information (PII) that would otherwise be sent to third‑party cloud providers. This design triggers several data‑protection obligations:

GDPR (EU) – If any of the 27 million EU residents collaborating with U.S. labs submit personal data to the portal, Argonne must treat the service as a data processor. The lab must ensure a valid Standard Contractual Clause or Binding Corporate Rules arrangement, provide data‑subject rights mechanisms, and maintain a record of processing activities (Article 30). Failure to do so could invite fines up to €20 million or 4 % of global turnover.
CCPA/CPRA (California) – California‑based researchers who upload personal information are protected by the California Consumer Privacy Act. Argonne must disclose the categories of data collected, allow opt‑out of sale (which does not apply here but still requires transparency), and implement reasonable security measures under §1798.150.
DOE security directives – The Department of Energy’s DOE Order 205.1B mandates continuous monitoring, encryption at rest and in transit, and strict access controls for any system handling Controlled Unclassified Information (CUI). The new service must be accredited under the Risk Management Framework before production use.

Impact on users and companies –

Researchers gain on‑demand access to state‑of‑the‑art LLMs without the cost of provisioning dedicated GPU clusters. They can run inference on sensitive datasets – for example, real‑time plasma‑disruption prediction for fusion experiments – while staying compliant with institutional data‑use policies.
DOE labs avoid the legal exposure of sending proprietary data to external AI APIs, reducing the risk of inadvertent data leakage that could trigger breach notification obligations under GDPR’s 72‑hour rule.
Vendors such as Nvidia, SambaNova and Open WebUI see a new use‑case for their hardware and software in a high‑security environment, potentially opening a market for “government‑grade” AI inference stacks.

Compliance steps Argonne is taking –

Data minimisation – The portal strips metadata and enforces field‑level redaction before passing prompts to the model.
Encryption – All traffic uses TLS 1.3; model weights and intermediate tensors are encrypted at rest with AES‑256.
Audit logging – Every inference request is logged with user ID, timestamp, and model version. Logs are stored in an immutable WORM bucket for 90 days to satisfy both DOE audit requirements and GDPR’s accountability principle.
Access control – Role‑based access (RBAC) integrates with the lab’s existing Active Directory and multi‑factor authentication (MFA) system.
Privacy impact assessment (PIA) – Argonne conducted a PIA that identified residual risks (e.g., model‑level memorisation of training data) and defined mitigation steps such as differential‑privacy fine‑tuning for domain‑specific models.

What changes are coming –

Extended hardware – Adding Tara (GH200) will double the mixed‑precision throughput, allowing larger context windows for scientific text generation.
Model governance – Argonne plans to publish a catalogue of approved models, each with a documented data‑source provenance file to satisfy GDPR’s data‑origin requirement.
User‑controlled data retention – Researchers will be able to set a retention policy (e.g., 24 h, 7 d, 30 d) for their prompts, after which the system automatically purges them.
Open‑source contributions – The lab intends to contribute back patches to Open WebUI that add built‑in GDPR‑compliant consent dialogs and CCPA‑style “Do Not Sell My Data” toggles.

Why the watchdog perspective matters – While the service is a technical triumph, privacy regulators will watch how Argonne implements the safeguards. Any breach that exposes EU or California resident data could trigger cross‑border enforcement actions, especially given the heightened scrutiny of AI‑driven data processing. By embedding privacy‑by‑design principles now, Argonne not only protects scientific output but also sets a precedent for how public research institutions can responsibly harness generative AI.

For more details on the hardware, see Nvidia’s GH200 announcement and SambaNova’s SN40L product page. The Open WebUI project is documented at its GitHub repository.