EU to clarifies AI and GDPR interplay
By addressing overlaps and clarifying enforcement roles, the guidelines will support the EU’s commitment to trustworthy AI and robust data protection
The European Commission informed member states that it is developing guidelines under Article 96(1)(e) of the EU Artificial Intelligence Act (AI Act) to clarify its relationship with the General Data Protection Regulation (GDPR). These guidelines aim to ensure coherent enforcement and address overlaps between the two regulations.
The AI Act focuses on the safety and accountability of AI systems, especially high-risk ones, while the GDPR centres on protecting personal data and individual rights. Both regulations apply to AI systems that process personal data, leading to potential overlaps.
For example, the AI Act requires high-risk AI systems to use high-quality datasets (Article 10), aligning with GDPR principles like data accuracy and minimisation (Article 5). Transparency is another shared concern: the AI Act mandates clear information about AI systems (Article 13), while the GDPR grants individuals rights regarding automated decisions (Article 22).
Risk assessments are also a common requirement. The AI Act mandates conformity assessments and risk management for high-risk systems (Articles 14, 43–44), while the GDPR requires Data Protection Impact Assessments (Article 35). The guidelines are expected to help organisations integrate these assessments to avoid duplication.
However, one of the main challenges is that the AI Act and GDPR use different definitions; for instance, the GDPR defines ‘personal data ‘ broadly, while the AI Act focuses on high-risk AI systems without explicitly addressing data anonymisation. Enforcement structures also differ: the GDPR relies on national data protection authorities, whereas the AI Act introduces national market surveillance authorities and the European AI Office.
The forthcoming guidelines aim to provide clarity on these issues, helping businesses and public authorities navigate compliance with both regulations. By addressing overlaps and clarifying enforcement roles, the guidelines will support the EU’s commitment to trustworthy AI and robust data protection.
