The CNIL has published a FAQ to address the relationship between the European AI Act and the GDPR.
How the AI Act and GDPR Fit Together
The AI Act and GDPR are designed to complement each other, not replace one another. They apply in different scenarios based on the nature of the AI system and the data it processes. The AI Act is designed to work in harmony with the GDPR, enhancing data protection principles while addressing AI-specific challenges. The CNIL emphasizes that compliance with both regulations is crucial for organizations deploying AI technologies.
Understanding whether the AI Act, GDPR, or both apply involves considering the nature of the AI system and the data it processes:
- Only the AI Act Applies: High-risk AI systems not processing personal data.
- Only the GDPR Applies: AI systems processing personal data but not classified as high-risk.
- Both Apply: High-risk AI systems processing personal data.
- Neither Applies: Minimal risk AI systems not involving personal data processing.
The AI Act introduces specific provisions that complement GDPR compliance:
- Prohibited Practices: Practices involving personal data prohibited under the AI Act must also comply with GDPR.
- General-Purpose AI Models: These models often rely on personal data, necessitating adherence to both regulations.
- High-Risk AI Systems: Compliance with both regulations is required for systems processing personal data.
- Specific Transparency Risk: Transparency obligations under both regulations for systems interacting with individuals.
Several other complementarities as well as differences are explained. See the full FAQ here.
♻️ Share this if you found it useful.
💥 Follow me on Linkedin for updates and discussions on privacy, digital and AI education.
📍 Subscribe to my newsletter for weekly updates and insights – subscribers get an integrated view of the week and more information than on the blog.
