The AI Act and The GDPR Relationship Status: "It's Complicated" ??

?? WHY IT MATTERS:

If the EU Parliament's own researchers are scratching their heads about how the AI Act and GDPR interact, imagine being a small business trying to figure this out while staying afloat. This legal ambiguity affects anyone developing or using AI systems that might need to process sensitive data to meet the requirements of the AI Act of preventing discrimination.

?? KEY POINTS:

• The AI Act says you can process special categories of personal data to detect and fix bias in high-risk AI systems
• The GDPR says "hold my beer" ?? as it imposes stricter limitations on processing such data
• When the two collide, GDPR supposedly prevails (but good luck figuring out how and explaining it)
• Processing data on factors like age, gender, or disability might be easier since they're just "regular" personal data
• Some experts argue the AI Act could qualify as "substantial public interest" under GDPR Article 9(2)(g)
• At least one thing is clear - Robust cybersecurity and data minimization are non-negotiable either way

??? THE BIG PICTURE:

The example illustrates the confusion and growing pains that can arise when emerging technologies are regulated both within existing legal frameworks and within new ones. The EU wants AI that doesn't discriminate but also wants strict data protection – a classic case of "have your cake and eat it too." While the intentions are good (protecting fundamental rights), this is also a classic case where the private sector (especially SMEs) ends up in regulatory fog and uncertainty hurting them and innovation overall.

?? THE BOTTOM LINE:

Companies need to navigate a regulatory minefield where doing the right thing (preventing algorithmic discrimination) might technically violate data protection rules. Even the Belgian Supervisory Authority is trying to make sense of it all, and the Think Tank of the EU Parliament is saying that “shared uncertainty appears to prevail as to how the AI Act's provision on the processing of special categories of personal data for avoiding discrimination should be interpreted”, suggesting that the issue isn't just theoretical.

?? WHAT’S NEXT

• EU data protection authorities may issue additional guidance on processing sensitive data for bias detection under both frameworks
• Companies with high-risk AI systems may need new documentation processes proving "strict necessity" for bias monitoring
• There may be more incentive for the EU Commission to make targeted GDPR amendments to better accommodate legitimate bias detection needs
• Industry groups could be incentivized to develop privacy-preserving bias detection standards that satisfy both regulatory requirements
• Potential future enforcement actions will establish practical precedents for reconciling these competing legal objectives but this will take time

??♀? GO DEEPER

Research by the European Parliament Think Tank

EDPB opinion 28/2024

EU Publication on “The impact of the general data protection regulation on artificial intelligence”