Under GDPR, when you collect personal data, you have to say what it will be used for, and not use it for anything else. You cannot collect data simply to do a ML trawl on it. Specific uses of AI may be more acceptable, such as using data to calculate a credit score, but even then, you must take care that the scope of the credit scoring system does not widen. Always try to minimise the data you hold.
Not only are you required to minimise the amount of data you collect and keep - limiting it to what is strictly necessary for your stated purposes —you must also put limits on how long you hold the data. ML on the other hand wants as much data as it can get. The more data ML gets, the better it is at spotting patterns, and it is desirable to keep the data as long as possible, since historic patterns can better inform ML decisions. I think this will inevitably reduce the performance of some ML systems. It is likely that companies like Amazon who use ML in a number of systems such as recommendation engines, need to gain consent for each of the different uses from their customers, which might result in the simplifying of their ML.
Additionally, once data has been collected, you have to be able to tell people what data you hold on them, and what’s being done with it. You also need to be able to alter or get rid of people’s personal data if requested. So, data needs to be identifiable and accessible at an individual level, and this might mean that some ML systems have to remove data that does not contain individual level identifiers.
Like any legislation, it is yet unknown exactly what each provision of the GDPR means and some aspects will only become clear once they have been tested in court. Because of GDPR some US the based websites currently don't allow access to requests emanating from the EU. This is obviously not an ideal solution, and I think sooner rather than later most companies will reduce the amount of data they are collecting. I think this will make ML less effective in some areas, however a lot of ML is not necessarily based on customer data, such as image recognition systems, so there will be a number of uses of ML that the GDPR will have little effect on.