European Data Protection Authorities Back AI Act Implementation Framework but Demand Enhanced Fundamental Rights Protections

The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) have jointly released opinions on the implementation of the EU AI Act, expressing support for coordinated approaches while emphasizing the need for robust protections of fundamental rights. These positions come as European institutions prepare for the Act's phased implementation beginning in August 2024.

Supporting Streamlined Implementation

The authorities acknowledge the importance of coordinated supervision and enforcement mechanisms across member states. They support the European Commission's proposal for a structured cooperation framework that would involve national data protection authorities (DPAs) in the AI Act's implementation process. This approach recognizes that many AI systems subject to the AI Act will also process personal data, bringing them under the scope of the GDPR.

The EDPB and EDPS specifically endorse the establishment of a permanent AI Board, which would include representatives from national DPAs alongside other relevant authorities. This structure would facilitate information sharing and ensure consistent application of both the AI Act and GDPR where they overlap. The authorities note that approximately 70% of high-risk AI systems likely process personal data, creating significant overlap between the two regulatory frameworks.

Fundamental Rights Concerns

Despite supporting streamlined implementation, the authorities express serious concerns about potential gaps in fundamental rights protection. Their primary focus centers on the intersection between AI systems and data protection principles, particularly:

1. Data Minimization and Purpose Limitation: The authorities warn that AI systems, especially those using large-scale data processing for training, may conflict with GDPR principles. They call for explicit guidance on how data minimization applies to AI development, particularly for generative AI models that require extensive training datasets.

2. Transparency and Explainability: While the AI Act requires transparency for certain AI systems, the EDPB and EDPS argue these requirements must be strengthened to align with GDPR's right to meaningful information about automated decision-making. They recommend that AI providers should be required to document not just system capabilities but also data processing activities in detail.

3. Automated Decision-Making: The authorities emphasize that Article 22 GDPR protections against solely automated decision-making with legal or significant effects must be reinforced. They propose that high-risk AI systems should include human oversight mechanisms that are genuinely effective, not merely symbolic.

4. Data Protection Impact Assessments (DPIAs): The joint opinion recommends that DPIAs should be mandatory for all high-risk AI systems, regardless of whether they are classified as requiring such assessments under GDPR. This would create a unified assessment process that considers both AI-specific risks and data protection implications.

Specific Recommendations for Implementation

The authorities provide concrete suggestions for how the AI Act should be implemented in practice:

For AI Providers:

• Documentation Requirements: Providers should maintain detailed records of data sources, processing activities, and data protection measures throughout the AI lifecycle, from development through deployment.
• Privacy by Design: AI systems should incorporate data protection principles from the initial design phase, including techniques like differential privacy and federated learning where appropriate.
• Impact Assessments: Combined AI risk assessments and DPIAs should be conducted before market placement, with particular attention to risks of discrimination, privacy violations, and fundamental rights infringements.

For National Authorities:

• Coordinated Supervision: DPAs should participate in AI Act supervision through the proposed AI Board structure, ensuring data protection perspectives are integrated into AI oversight.
• Enforcement Cooperation: When investigating AI systems, authorities should coordinate between AI Act enforcement and GDPR enforcement, avoiding duplicate proceedings while ensuring comprehensive protection.
• Guidance Development: National authorities should develop joint guidance on interpreting overlapping requirements, particularly regarding data protection in AI systems.

For the European Commission:

• Implementing Acts: The Commission should adopt implementing acts that specifically address data protection aspects of high-risk AI systems, including standardized templates for documentation and assessment.
• Harmonization Measures: Additional measures may be needed to ensure consistent application of both regulations across member states, particularly regarding technical standards for AI transparency.
• Stakeholder Consultation: The Commission should establish structured consultation mechanisms with data protection authorities throughout the AI Act's implementation process.

Technical Implementation Challenges

The authorities identify several technical challenges that require careful attention:

Data Processing Transparency: AI systems, particularly deep learning models, often operate as "black boxes" where even developers cannot fully explain specific decisions. The EDPB and EDPS recommend that transparency requirements should focus on what data was processed, how it was used, and what measures were taken to prevent privacy violations, rather than demanding full explainability of complex models.

Cross-Border Data Flows: For AI systems developed or deployed across multiple jurisdictions, the authorities recommend establishing clear rules for data transfers that comply with both GDPR Chapter V and AI Act requirements for high-risk systems.

Continuous Monitoring: Both regulations require ongoing compliance monitoring. The authorities suggest developing automated compliance tools that can track data processing activities and AI system performance simultaneously, reducing the burden on providers while maintaining oversight.

Timeline and Next Steps

The AI Act will be implemented in phases:

• August 2024: Provisions on prohibited AI systems take effect
• February 2025: Requirements for general purpose AI models apply
• August 2026: Full implementation for high-risk AI systems

The EDPB and EDPS recommend that data protection authorities begin preparing for their role in AI Act implementation immediately, including:

1. Capacity Building: Training staff on AI technologies and their data protection implications
2. Guidance Development: Creating initial guidance on the intersection between GDPR and AI Act requirements
3. Stakeholder Engagement: Consulting with industry, civil society, and other authorities on practical implementation challenges

Industry Implications

For organizations developing or deploying AI systems, these opinions signal that:

• Dual Compliance Required: Organizations must prepare for simultaneous compliance with both GDPR and AI Act requirements, with data protection considerations integrated into AI governance frameworks.
• Documentation Burden: The call for detailed documentation means organizations should invest in compliance infrastructure that can track data processing throughout AI development and deployment.
• Early Assessment: Conducting combined AI risk and data protection impact assessments early in development cycles will be essential to avoid costly redesigns later.

The EDPB and EDPS conclude that while streamlined implementation is desirable, fundamental rights protection must remain paramount. Their joint position sets the stage for what will likely be an ongoing dialogue between AI regulation and data protection frameworks as both regulations mature and practical implementation challenges emerge.

For organizations seeking guidance, the EDPB and EDPS have indicated they will publish additional guidance documents in coming months, particularly addressing the practical application of GDPR principles to AI systems and the specific requirements for high-risk AI systems under the AI Act.