Insights EU AI Act: European Data Protection Board adopts statement on role of data protection authorities

Contact

The European Data Protection Board (“EDPB”) has adopted a statement on the role that data protection authorities can play in the implementation of the European AI Act (the “Act”). It comes as the Act, on which we’ve previously commented here, was published in the Official Journal of the European Union on 12 July and came into force on 1 August 2024.

Under the Act, the job of monitoring AI systems and ensuring that products on the market conform with the Act’s requirements will fall to national market surveillance authorities (“MSAs”). MSAs will be required to report annually to the Commission and relevant competition authorities about “any information identified in the course of market surveillance activities that may be of potential interest for the application of Union law on competition rules. They shall also annually report to the Commission about the use of prohibited practices that occurred during that year and about the measures taken”.

It is for Member States to designate an appropriate MSA which “shall exercise their powers independently, impartially and without bias so as to safeguard the objectivity of their activities and tasks, and to ensure the application and implementation of this Regulation. The members of those authorities shall refrain from any action incompatible with their duties. Provided that those principles are observed, such activities and tasks may be performed by one or more designated authorities, in accordance with the organisational needs of the Member State.”

Against that backdrop, the EDPB has recommended that existing national data protection authorities (“DPAs”) be designated as MSAs in a number of areas for the purposes of the Act. The EDPB notes that DPAs already have considerable experience and expertise in dealing with the impact of AI on data security and computing, and in assessing the risks to fundamental rights posed by new technologies. It argues that “the processing of personal data (which is often strictly intertwined with non-personal data) along the lifecycle of AI systems ‒ and particularly along the lifecycle of those AI systems presenting a high risk to fundamental rights ‒ clearly is (and will continue to be) a core element of the various technologies covered under the umbrella of the AI definition, as enshrined in Article 3(1) AI Act”.

In addition to the experience and expertise of DPAs, the EDPB also points to the advantages from the perspective of supervision and coordination, arguing that “the designation of DPAs as MSAs would benefit all stakeholders in the AI value chain by making available a single contact point, facilitating the interactions between different regulatory bodies that are concerned by both the AI Act and EU data protection law”. There is also the added benefit, the EDPB argues, that DPAs are already fully independent, meaning that they can provide effective independent scrutiny of AI systems, as required under the Act.

Summarising its position, the EDPB has recommended the following:

  • As already indicated in the AI Act, DPAs should be designated as MSAs for high-risk AI systems used for law enforcement, border management, administration of justice and democratic processes;
  • Member States should consider appointing DPAs as MSAs also for other high-risk AI systems, taking account of the views of the national DPA, particularly where those high-risk AI systems are in sectors likely to impact natural persons rights and freedoms with regard to the processing of personal data;
  • DPAs, where appointed as MSAs, should be designated as the single points of contact for the public and counterparts at Member State and EU levels;
  • Clear procedures should be established for cooperation between MSAs and the other regulatory authorities which are tasked with the supervision of AI systems, including DPAs. In addition, appropriate cooperation should be established between the EU AI Office and the DPAs/EDPB.

Commenting on the Statement, EDPB Deputy Chair Irene Loizidou Nicolaidou said: “DPAs should play a prominent role in enforcing the AI Act as most AI systems involve processing of personal data. I strongly believe that DPAs are suitable for this role because of their full independence and deep understanding of the risks of AI for fundamental rights, based on their existing experience.”

To read the Statement in full, click here.