AI & Data Protection: EU's AI Act Vis-à-vis GDPR

The introduction of the EU Artificial Intelligence Act (AI Act) alongside the General Data Protection Regulation (GDPR) represents a significant advancement in the regulatory framework for digital technologies, particularly in terms of data protection. The AI Act, while focusing on the safe and ethical use of artificial intelligence, complements the GDPR’s stringent data privacy requirements, together reinforcing the EU's commitment to safeguarding individual rights in the digital age. Here’s how the AI Act impacts data protection, taking note of the GDPR:

?Enhanced Transparency and Data Governance

The AI Act mandates increased transparency and data governance for AI systems, especially those classified as high-risk. It requires detailed documentation and record-keeping that includes information about the datasets used to train, validate, and test the AI systems. This aligns with the GDPR’s emphasis on accountability and transparency in data processing activities, ensuring individuals are informed about how their data is used and for what purpose.

Complementary Data Protection Impact Assessments

For high-risk AI systems, the AI Act necessitates a fundamental rights impact assessment, which complements the GDPR’s requirement for data protection impact assessments (DPIAs) for processing operations that pose a high risk to individuals' rights and freedoms. Both assessments aim to identify risks early in the process, adopt measures to mitigate them and ensure compliance with regulatory obligations, thereby reinforcing the protection of personal data and fundamental rights.

Strengthened Rights of Individuals

The GDPR provides individuals with various rights concerning their personal data, such as the right to access, rectify, erase, or restrict the processing of their data. The AI Act supports these rights by requiring AI systems to be transparent and understandable to users, which could help individuals exercise their GDPR rights more effectively. For instance, if an AI decision-making process affects an individual, the transparency requirements under the AI Act could enable the person to understand the basis of the decision and challenge it if necessary, using their GDPR rights.

Addressing Automated Decision-Making and Profiling

Both the AI Act and the GDPR address concerns related to automated decision-making and profiling. The GDPR grants individuals the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. The AI Act's provisions for high-risk AI systems, which could include those used for automated decision-making and profiling, necessitate robust and transparent mechanisms to ensure such systems are fair, accurate, and respect fundamental rights, thus reinforcing the protections offered by the GDPR.

Global Impact and Harmonization

The AI Act, much like the GDPR, has a broad extraterritorial scope, affecting not only EU-based entities but also those outside the EU that offer AI systems or services impacting EU citizens. This global reach encourages international businesses to adopt practices that comply with both the GDPR and the AI Act, promoting a harmonized approach to data protection and AI governance worldwide.

The AI Act Vis-à-vis the AU’s Data Protection Framework, the Malabo Convention

The EU's Artificial Intelligence Act (AI Act) is poised to align with the African Union's (AU) data protection framework, notably the Malabo Convention, by establishing a comprehensive and harmonized approach to regulating AI technologies while ensuring the protection of personal data and fundamental rights. Both frameworks emphasize the importance of data governance, accountability, and transparency in the deployment of digital technologies, including AI. The AI Act's risk-based regulatory approach and its requirements for high standards of data quality, transparency, and fundamental rights impact assessments complement the Malabo Convention’s objectives to enhance data protection standards across Africa, promote cybersecurity, and protect individual privacy in the digital age. This alignment not only facilitates cross-border cooperation and mutual understanding between the EU and African countries but also encourages the development of AI technologies that are ethical, secure, and respectful of data protection principles, thus fostering a safer digital environment for individuals within both regions.

Conclusion

The AI Act significantly impacts data protection, complementing and reinforcing the GDPR's principles and protections. By establishing clear requirements for transparency, accountability, and the ethical use of AI, the Act ensures that AI technologies respect individual rights and freedoms, including the protection of personal data. As these regulations work in tandem, they set a high standard for data protection and the responsible deployment of AI technologies, both within the EU and globally.