Michael Will, negotiator of the globally adopted and emulated General Data Protection Regulations (GDPR), has big concerns about how the new AI Act aligns with GDPR. He sees challenges ahead as personal data passes through AI systems.
The AI Act starts on a promising note. It states that it "shall not affect" GDPR or other European privacy laws. Yet, it allows high-risk AI systems to process certain categories of personal data, like ethnic origin, when strictly necessary, to detect and correct bias. Though Michael agrees that "the legal basis to fight bias is important," he identifies other deficiencies with the Act.
Among them is the AI regulatory sandbox - a controlled environment for testing and refining AI technologies. Michael finds it lacks a clear and robust legal basis for processing personal, non-anonymized data, and provisions that define the compatibility of further processing for AI training. Similarly, other issues, like "transparency, the rights of data subjects and data deletion, are not adequately addressed by the AI Act."
On declarations of conformity for high-risk AI systems, Michael worries that they may create a false sense of trust and reliance that conflicts with GDPR's objectives of enforcement and supervision. "People will try to rely on these declarations," he warns. "Accountability, security, transparency and data subjects' rights must be observed."
AI and data protection: what to do about governance
Already, many companies leverage AI and secure business value from it. Some adopt a broad strategy, experimenting widely with AI. Others are cautious, limiting AI activities to specific entities or functions. Whatever the approach, as AI technology matures and becomes a permanent fixture in the business landscape, a comprehensive governance structure must sit alongside.
The AI Act requires but does not prescribe a governance structure, leaving it up to companies to decide what works best for them.
According to Michael, effective AI governance demands a collective team effort. He says: "Take the best people you have with knowledge of digital and bring them together. This widens the reach beyond the usual data protection officer or IT security officer. An open and diverse team, with knowledge at the centre, is the best way to ensure readiness and responsibility for AI."
New AI players don't fit within GDPR parameters
The rise of AI sees new players emerge that do not fit neatly into the traditional roles of "controller" (dictates the purpose and means of data processing) and "processor" (carries out the controller's instructions), as defined by GDPR for conventional software service providers.
Instead, data-hungry AI developers actively seek vast amounts of data to train their AI models. They play a more transformative role than either the controller or processor, which presents potential for GDPR infringements and challenges for data-protection authorities. To address the new realities of the AI landscape, and the role of the "transformer" within it, updated regulatory definitions and frameworks are essential.
Until then, GDPR supervisory bodies remain responsible for overseeing data protection and compliance. They actively publish recommendations and collaborate on European Data Protection Board guidelines on the interplay between the AI Act and GDPR.
Meanwhile, lack of direction from national legislators leaves AI system developers and users unclear about where to go for guidance and advice. According to Michael, it seems likely that the Bundesnetzagentaur, the federal agency responsible for electricity, gas, telecommunications, postal services and railways, will be appointed as Germany's AI supervisory body.
This appointment does not sit well with data protection authorities in Europe, which already have, as Michael states, "broad experience of digital businesses, data protection and IT security." The Bundesnetzagentaur will need detailed AI knowledge. And rather than limiting bureaucracy, he fears it will create an additional layer of regulation for companies to navigate.
AI and data protection: fast-forward
Where will we be one year from now?
To foster innovation without compromising personal data protection, national legislators and regulatory bodies must:
- Establish clear and effective governance structures to accommodate the unique roles and challenges presented by AI developers and users.
- Adapt regulatory frameworks that are robust yet flexible enough to keep pace with technological advances.
- Seek to maintain individuals' trust that their personal data remains safeguarded under GDPR.
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon_(1).jpg?crop=300,495&format=webply&auto=webp)
