EU data protection authorities (DPAs) will likely start enforcing the requirements of the EU AI Act, the world’s first comprehensive AI regulation, despite the Act likely not entering into full force until 2026.
The AI Act is designed to apply in addition to the EU General Data Protection Regulation (GDPR), extending the reach of requirements by covering AI systems trained with data that is not subject to GDPR and scenarios where providers don’t qualify as “controllers” under GDPR. Despite these differences, many of the AI Act’s risk management obligations cover the same topics as those in the GDPR, but in a more specific manner. This creates a synergy that enables DPAs to interpret the GDPR in a manner consistent with the requirements of the upcoming AI Act, on topics such as:
- Impact assessment: The AI Act’s requirement for a risk management system is akin to the GDPR’s data protection impact assessment (DPIA), focusing on preemptive risk identification and mitigation;
Data governance: The AI Act’s data governance requirements, including the appropriate use of training datasets, aligns with the GDPR’s requirements of fair and lawful use of personal information;
Human oversight: The AI Act requires ensuring appropriate human oversight, which shows similarities to the (negatively formulated) prohibition on automated decision-making (with limited exceptions) under the GDPR.
Recent developments already show that the DPAs are not waiting for the AI Act to enter into force. For example, in July 2023, the French DPA stated that it will focus on entities processing personal information to develop, train, or deploy AI systems to ensure these entities have met GDPR requirements, including by carrying out data protection impact assessments, adequately informing individuals, and allowing people to exercise privacy rights. The Spanish DPA recently provided guidance on the distinction between “transparency” under the GDPR and the use of the same term in the AI Act, and the Italian DPA is investigating the online collection of personal information to train AI algorithms.
Carson Martinez contributed to authoring this blog post.