On 16 July 2024, the European Data Protection Board (EDPB) released a statement on the role of Data Protection Authorities (DPAs) within the AI Act framework, triggered by the publication of Regulation (EU) 2024/1689 in the Official Journal on 12 July 2024 (the AI Act).
Background and Context
The AI Act mandates Member States to designate Market Surveillance Authorities (MSAs) by 2 August 2025, to oversee the regulation’s application and implementation. The EDPB’s statement underlines the crucial role of DPAs in this framework due to their extensive experience in managing AI’s impact on personal data and fundamental rights.
Complementarity of Legal Framework
The EDPB stresses that the AI Act and EU data protection legislation should be seen as complementary and mutually reinforcing. Both aim to safeguard fundamental rights, with the AI Act enhancing the effectiveness of the GDPR and other data protection laws in regulating AI technologies.
Centrality of Personal Data
Personal data processing is integral throughout the lifecycle of high-risk AI systems, which form the core of various AI technologies. The EDPB highlights that such processing is central to the AI Act’s regulatory scope, ensuring that AI systems comply with data protection standards.
Key Recommendations
The EDPB provides several key recommendations:
- Designation as MSAs: DPAs should be appointed as MSAs for high-risk AI systems used in law enforcement, border management, administration of justice, and democratic processes, as specified in Article 74(8) of the AI Act.
- Consideration for Other High-Risk Systems: Member States should also consider DPAs for other high-risk AI systems, particularly those affecting personal data processing, in consultation with national DPAs.
- Single Points of Contact: DPAs appointed as MSAs should serve as the primary contact points for public and regulatory bodies at national and EU levels.
- Cooperation Procedures: Clear cooperation mechanisms must be established between MSAs and other regulatory authorities supervising AI systems, including DPAs.
Experience and Indispensability
DPAs have significant experience in formulating guidelines and best practices for AI-related data processing issues. Their role is indispensable for the safe, rights-oriented, and secure deployment of AI systems. This expertise ensures effective oversight and aligns AI developments with data protection principles.
Single Point of Contact
The EDPB emphasizes the benefits for AI stakeholders of having a single point of contact (SPOC) through DPAs acting as MSAs. This setup would streamline interactions and coordination across regulatory bodies.
Resource Needs
The EDPB also underscores the necessity for additional human and financial resources to support DPAs in their expanded roles. Adequate resources are essential for DPAs to effectively undertake new tasks related to AI system supervision.
It’s safe to say that this statement does not come as a surprise, and it is widely expected that not only DPAs, but also privacy professionals, will play a key role in AI governance going forward.
Get the statement here.
