AI and Data Protection

The AI Act and Data Protection Rules

The intersection of the AI Act and data protection revolves around the use of personal data in AI systems. AI often relies on vast amounts of data, including personal data, to train algorithms and make decisions. The GDPR requires organisations to adhere to data protection principles and put in place certain technical and organisational measures when processing personal data. Whilst the AI Act predominantly focuses on production, deployment and use of AI systems and their safety, GDPR is a technology-neutral regulation aimed at protection of data subjects’ privacy in processing of their personal data. Certain interactions exist:

• Risk Assessment and Compliance: High-risk AI systems, as defined by the AI Act, must undergo rigorous assessment processes to ensure compliance with both the AI Act and GDPR. This includes evaluating the impact on privacy and data protection rights. AI systems involving processing of personal data and the risk assessments under the AI Act, must be part of the data protection risk assessments.
• Data Governance: The AI Act reinforces the principles of data governance laid out in the GDPR. AI system developers and deployers must ensure that data used in AI is collected and processed in line with GDPR requirements, including data minimisation and purpose limitation. In effect this requirement has consequences to the entire AI supply chain, where personal data is being used.
• Transparency and Explainability: Both the AI Act and GDPR emphasise the need for transparency. The GDPR requires that individuals understand how their data is being used, while the AI Act mandates clear information on AI system capabilities and limitations, particularly for high-risk applications.
• Human Oversight: The AI Act requires human oversight to prevent or minimise risks, which complements the GDPR's focus on human-centric decision-making processes, especially in cases involving automated decision-making and profiling.
• Data Subject Rights: The GDPR provides individuals with rights over their personal data, such as the right to be forgotten and the right to object to automated decision-making. The AI Act seeks to ensure that the deployment of AI systems does not infringe upon these rights.

Challenges and Considerations

The interplay between the AI Act and GDPR is not without challenges. One of the main considerations is ensuring that the AI Act complements the GDPR without creating conflicting requirements for AI developers and users. Additionally, the dynamic nature of AI technology means that both regulations will need to be adaptable to future developments. The AI Act and GDPR together create a robust framework for the ethical and responsible use of AI in the EU. The AI Act’s alignment with the GDPR's principles is a clear indication of the EU's commitment to protecting fundamental rights in the age of AI. Businesses and AI practitioners must stay informed about these regulations to ensure compliance and to foster trust in AI technologies. As the digital landscape evolves, the synergy between the AI Act and data protection rules will play a pivotal role in shaping a trustworthy digital future.

The complexity of ensuring compliance with both the AI Act and data protection rules requires a multifaceted approach that addresses legal, technical, and organisational challenges. CMS specialises in technology and data protection law. CMS experts are considered leaders in this field and are well-positioned to provide the required expertise and support you in facing these challenges. 

Contact us to learn more about the below services we can offer to your organisation in complying with the AI Act and the GDPR. 

The AI Act and Data Protection Services

• Compliance Audits and Risk Assessments
  • Conducting thorough audits of AI systems to classify their risk level under the AI Act.
  • Performing data protection impact assessments to identify and mitigate risks related to personal data processing and (envisaged) use of AI systems.
• Policy Development and Implementation
  • Assistance in developing internal policies that ensure compliance with both the AI Act and data protection rules.
  • Providing guidance on implementing these policies effectively across all levels of the organisation.
• Training and Awareness Programs
  • Creating training modules for employees to understand the importance of compliance and their role in it.
  • Developing awareness programs that highlight the ethical use of AI and the importance of data protection.
• Legal Advisory and Representation
  • Offerig legal advice on the interpretation of the AI Act and data protection rules as they apply to specific AI systems.
  • Representing organisations in dealings with regulatory authorities, including during investigations and enforcement actions.
• Contractual and Transactional Support
  • Reviewing and drafting contracts involving AI systems to ensure they include necessary provisions for data protection compliance.
  • Advising on transactions involving AI technologies, considering both the AI Act and data protection implications.
• Incident Response and Breach Management
  • Providing support in the event of a data breach or non-compliance with the AI Act, including notification procedures and remediation strategies.
• Ongoing Monitoring and Updates
  • Keeping organisations informed about updates and changes to the AI Act and data protection rules.
  • Monitor the use of AI systems to ensure ongoing compliance with evolving regulations.