On 31 May 2024, the Austrian Data Protection Authority (DSB) published two guidelines on the interplay between the General Data Protection Regulation (GDPR) and the newly adopted EU AI Act. One guideline is aimed at private sector controllers, and another one is aimed at public sector controllers, emphasizing that the GDPR remains crucial even with the advent of the AI Act.
Applicability of GDPR
The DSB clarified that the AI Act does not supersede the GDPR – according to Article 2(7) of the AI Act, the roles and responsibilities of data protection authorities, as well as the obligations of AI system providers and operators under the GDPR, remain unaffected. This means that any processing of personal data by AI systems must still comply with GDPR provisions.
Legal Basis for Data Processing
For AI systems that process personal data, there must be a valid legal basis as outlined in Article 6(1) of the GDPR. When dealing with sensitive data, the stricter conditions of Article 9(2) GDPR must also be met. The DSB emphasized that the GDPR does not hinder the development of AI but ensures that personal data is processed lawfully.
Automated Decision-Making (Article 22 GDPR)
The guidelines highlighted the significance of Article 22 GDPR, which applies to automated decisions that produce legal effects or significantly affect individuals. Examples include automated loan approvals or online hiring processes. The DSB pointed to the broad interpretation of Article 22 by the European Court of Justice (ECJ), necessitating strict adherence to its provisions when AI systems are used for such decisions.
Practical Examples and Further Guidance
The DSB referred to case law involving the Austrian Supreme Administrative Court and the AMS algorithm used by the Public Employment Service. This example underscored the applicability of Article 22 GDPR in automated decision-making scenarios. Additionally, the DSB provided links to FAQs and resources for further information on AI and data protection.
Future Directions
The DSB noted the European Data Protection Board’s (EDPB) strategy for 2024-2027, prioritizing guidelines on the relationship between the GDPR and the AI Act. As a member of the EDPB, the DSB will actively contribute to developing these guidelines to ensure coherent application of data protection laws.
👉 Find the guidance here.
♻️ Share this if you found it useful.
💥 Follow me on Linkedin for updates and discussions on privacy education.
📍 Subscribe to my newsletter for weekly updates and insights – subscribers get an integrated view of the week and more information than on the blog.