GDPR, EU AI Act will overlap as businesses face enforcement
Enforcement of the new EU AI Act remains up in the air as governing bodies are being established. Meanwhile, DPAs grapple with how new laws will interact with existing laws.
Data Protection Authorities in the European Union are grappling with ways the newly passed EU AI Act and other new regulations will overlap with the EU's General Data Protection Regulation, which has governed businesses' personal data use since 2018.
DPAs function as independent public authorities that monitor and enforce the EU's data protection law, which governs data privacy and security and grants data rights to individuals. While the GDPR focuses on data, DPAs can pursue investigations tied to technology such as artificial intelligence.
The EU's regulatory efforts have significant implications for U.S. businesses. Indeed, last year, Ireland's Data Protection Commission delayed the launch of Google's AI chatbot Bard, now Gemini, due to inadequate information about data protection. Separately, the Italian Data Protection Authority banned OpenAI's ChatGPT in March 2023, claiming that it breached the GDPR.
The newly adopted EU AI Act provides more comprehensive AI regulation, asking companies to categorize their AI systems into different risk levels and produce impact assessments. The EU AI Act also asks member states to establish governing bodies to oversee the law's implementation. Meanwhile, DPAs have already brought multiple AI-related enforcement actions against companies under the GDPR, and some DPA members are advocating that the DPAs should serve as EU AI Act enforcers as well, given how the GDPR and the EU AI Act could overlap in some ways.
Looking ahead at the EU's regulatory landscape, DPAs are not only facing challenges with their role regarding the EU AI Act and how the law will overlap with the GDPR, but also the EU's Digital Services Act, Digital Markets Act, Data Act and Data Governance Act, said Ulrich Kelber, Germany's federal commissioner for data protection and freedom of information. Kelber spoke during a panel at the International Association of Privacy Professionals' (IAPP) Global Privacy Summit 2024 in Washington.
"There will be interaction of some of the regulation of the new digital acts with GDPR," he said. "The question is where the decisions are made and how to give legal certainty to citizens and to companies."
DPAs weigh role with EU AI Act
DPAs will likely play an important role when it comes to the EU AI Act because the legislation builds off the GDPR, said Anu Talus, chair of the European Data Protection Board, who spoke on the panel with Kelber. The EDPB is composed of DPA leaders from EU member states and ensures the GDPR is applied consistently across Europe.
Talus said the enforcement structure will be different between the GDPR and the EU AI Act. For the GDPR, the European Commission -- the EU's enforcement arm -- simply participates in EDPB meetings, while the DPAs act as enforcers; a new AI agency within the commission will ultimately serve as overall enforcer of the EU AI Act.
Still, organizations within EU member states will be selected to oversee the implementation of the EU AI Act. Talus believes the knowledge and experience gained from enforcing the GDPR gives a leg up to DPAs. Indeed, the EDPB created a task force last year to coordinate the enforcement of generative AI regulations.
"Many of our authorities have already enforced AI [cases] because many AI solutions are based on processing personal data," she said.
The EU AI Act will be a game-changer when it comes to AI regulation, but the GDPR will continue to rule in the areas of individual data rights and conditions where personal data can be processed, said Gintarė Pažereckaitė, a legal officer with the EDPB who spoke during an IAPP summit panel.
"We already have a law in Europe that regulates AI, and that's the good old GDPR," she said. "Of course, it applies only in cases when personal data is processed, but that could be the vast majority of AI use cases."
It's kind of this EU legislative Frankenstein.
Jasmien CésarSenior managing counsel for privacy, data protection and AI, Mastercard
The EU AI Act is not an exact copy-paste of the GDPR, but fundamental human rights and many of the privacy principles established in the GDPR touching on transparency, fairness and accuracy come up in the EU AI Act, which is where there's overlap, said Jasmien César, senior managing counsel for privacy, data protection and AI at Mastercard. César spoke during the IAPP summit.
"It's kind of this EU legislative Frankenstein," she said.
César said seeing how the "complex enforcement mechanisms" play out will be interesting because member states are taking different approaches. While some, including Spain, are opting for establishing new AI authorities similar to DPAs to oversee EU AI Act enforcement, others are turning to other existing oversight boards including DPAs.
"This will be a group of authorities with different backgrounds, different skill sets, used to using different toolkits, and they will have to come together and find a common ground on the same set of rules, which is the EU AI Act," she said.
DPAs face workforce challenge
The explosion of AI in the last couple of years, particularly generative AI, presents an additional challenge to DPAs -- attracting AI skill sets to serve as law enforcers, said Guido Scorza, a member of the Italian Data Protection Authority. Scorza spoke during the IAPP summit.
Building an AI workforce is something governments around the globe are grappling with. The Biden administration recently stated its goal of hiring 100 AI professionals to help lead the implementation of the White House Office of Management and Budget's AI policy for federal agencies.
"It's very difficult for a public board, at least in Italy, to offer tech people something in terms of compensation, in terms of career opportunities that are competitive with the private sector," Scorza said.
Makenzie Holland is a senior news writer covering big tech and federal regulation. Prior to joining TechTarget Editorial, she was a general reporter for the Wilmington StarNews and a crime and education reporter at the Wabash Plain Dealer.
