The convergence of Artificial Intelligence (AI) raises interesting questions about the use of personal data by AI or machine learning technologies. AI undoubtedly introduces new and serious risks for the privacy rights of data subjects.
GDPR vs AI Act
The GDPR and the AI Act seem to be quite similar as both EU legislations envisage accountability, governance and a risk-based approach. There are however a few important differences since the GDPR is technology-neutral and primarily focused on protection of personal data while the AI Act establishes a risk-based and technologically bespoke framework specifically for responsible development and use of AI and machine learning systems in the EU.
The GDPR only applies when an AI or machine learning system is engaged in the processing of personal data. Whenever personal data is processed via AI, a strong overlap can occur between data protection and AI governance, in particular with regard to the transparency requirement: often it will not be clear to data subjects whether their personal data is being processed given the complexity of the technology used in AI.
GDPR and AI present serious challenges for both AI developers and privacy practitioners (including Data Protection Officers).
Applying data protection principles to AI
Applying the broad data protection principles of GDPR to AI is a complex exercise and implies at least the following:
- Define the roles and responsibilities and the purposes of the processing.
- Keep the fundamental data protection principles in mind and apply them to each processing: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, integrity, confidentiality, privacy by design and accountability.
- Establish the appropriate legal basis for each processing.
- Minimise the data processing and define retention periods.
- Conduct a Data Protection Impact Assessment (DPIA) necessary to take and implement all appropriate measures against the risks involved with AI models.
- Provide information and explicability.
- Ensure adequate data security to prevent data breaches or cyber incidents.
- Implement the exercise of rights for data subjects.
- Supervise automated decisions and the processing of sensitive data.
It’s essential for tech companies to understand the upcoming AI legislation in Europe and prepare for its implementation. By making timely adjustments to their AI strategies and business processes, they can ensure both legal compliance and responsible AI innovation in this rapidly changing legal environment.
Nuans guides you through the complexities.
