AI and AI readiness are becoming critically important for fast-moving organizations. According to Gartner, more than 60% of CIOs have incorporated AI into their plans. Organizations that collect, process, store, or handle personal data are already taking measures to secure the personal identifying information (PII) of their EU residents as required under GDPR. For many of these organizations that also make use of AI systems, there will soon be additional requirements under the recently passed EU Artificial Intelligence Act (EU AI Act). In this blog post, we explore these two important pieces of legislation as it relates to data privacy.
Overview of GDPR and the EU AI Act
Both the GDPR and EU AI Act are designed to protect individuals’ data and privacy, though in different ways. The EU AI Act complements GDPR, but from a slightly different perspective.
GDPR: A Fundamental Rights Law
The GDPR, passed in 2018, is designed to protect the personal data of individuals residing in the European Union. It requires transparency in the processing of personal data, ensuring accountability and control to protect sensitive PII data. While GDPR doesn’t directly mention AI systems, Article 22 specifically mentions automated decision-making processes. Altogether GDPR is primarily legislation that relates to individuals’ rights.
EU AI Act: A Product Safety Law
The EU AI Act, adopted in March 2024, will enter into force on a staggered timetable starting within 24 months. It’s not yet fully developed, and often unclear in its handling of specific data privacy issues. Instead of creating individual rights, the EU AI Act is based on a tiered risk level system regulating standards and obligations for developers, deployers, importers, distributors, and authorized representatives of AI systems.
Complementary Frameworks: How GDPR and the AI Act Work Together
While the GDPR and EU AI Act do have different focuses, in some instances these directives overlap, with one serving as the stopgap to the other. In other instances, they are unrelated. The EU AI Act, which is designed to govern the safe development and deployment of AI technologies, relies on the GDPR to ensure that individual rights are protected, particularly within the data used by AI systems. In return, the transparency obligations of the AI Act can reveal GDPR data privacy violations, and ensure that personal data is protected.
Key Provisions and Obligations
Organizations are already taking into account the necessary data security requirements as part of GDPR. But how does this influence their data security under the EU AI Act so that they remain compliant with both.
Automated Decision-Making (Article 22 GDPR)
As mentioned above, Article 22 of GDPR applies to AI systems. This Article secures individuals’ data privacy, as they have the right not to be subject to decisions based solely on automated processing, including profiling, that result in legal or other significant effects. This Article is directly applicable to AI systems that, once trained, make autonomous decisions. In this case, there are provisions to ensure that human oversight is instituted to ensure that data privacy and individual rights are secured.
High-Risk AI Systems (Article 14 EU AI Act)
The EU AI Act categorizes AI systems based on a tiered risk system, with high-risk systems subject to the most stringent requirements. Article 14, which overlaps with Article 22 (GDPR), mandates that high-risk AI systems are overseen by humans during their operation, incorporating a “human-oversight-by-design” approach. This ensures that individuals’ data privacy is carefully monitored within the AI system.
Organizations already have strategies to ensure compliance with GDPR regulations. Now, the primary focus is on meeting the new EU AI regulations to remain compliant. Let’s look at how the EU AI Act and GDPR may influence compliance.
Compliance Strategies for Organizations
Organizations using AI systems that include personal data from EU countries will need to consider both GDPR and the EU AI Act to remain compliant and prevent penalties. There are some important strategies to ensure compliance with both pieces of legislation:
- Records of Processing Activities (RoPAs):
- GDPR requires detailed records of data processing activities that help in the discovery and cataloging processes and ensure transparency. We outlined the importance of data discovery for meeting GDPR compliance here.
- Privacy Impact Assessments (PIAs):
- Conduct regular PIAs to determine whether processes are impacting individuals’ rights. This is a shared requirement under both GDPR and the AI Act.
- Human Oversight:
- Implement robust human oversight mechanisms for AI systems, especially those classified as high-risk. This reduces the risk associated with automated decision-making processes that could violate GDPR.
- Technical and Organizational Measures:
- Data security transparency is needed to meet both GDPR and AI Act. This enables organizations to provide human interventions if it appears that individuals’ rights are likely to be harmed.
Enforcement and Penalties
The enforcement mechanisms for the EU AI Act are designed to avoid the silo effect observed with the GDPR, where different national regulators operated with little coordination. The EU AI Act introduces a stronger coherence mechanism across the EU, with the European AI Office coordinating efforts at the European level. Non-compliance with the AI Act can result in significant fines, similar to GDPR penalties, with a progressive sanctioning scale based on the severity of violations.
What’s Next
GDPR paved the way for the EU AI Act, as there is already international consensus about the need for AI standards. The EU learned from some of the challenges it faced when implementing GDPR that strong international cooperation is necessary, in addition to ensuring better coordination among national regulators, introducing stronger enforcement mechanisms, and providing clearer guidelines for compliance. We elaborate on some of the challenges associated with potential challenges organizations may face under the EU AI Act.
Conclusion
The EU AI Act provides guidelines about regulating AI systems to ensure that individuals’ rights and freedoms are protected. Both GDPR and the EU AI Act provide an approach to ensuring that data privacy is protected. Meeting these requirements is necessary as organizations race to become AI-ready while remaining compliant.
To learn more about how Satori can help your organization become AI-ready while navigating the complexities of both GDPR and the EU AI Act, book a demo with one of our experts.