The Laying Down Of Harmonised Rules On Artificial Intelligence

Earlier this year, the EU Commission tabled a Proposal of the European Parliament and Council on the Artificial Intelligence Act (“Proposal” or the “Act”) a brief summary of which can be accessed through our website. The Proposal was recently scrutinised by the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) in a joint opinion issued on the 18th of June 2021  (“Joint Opinion”). In this Joint Opinion the EDPB and EDPS, whilst acknowledging the Commission’s initiative to extend the use of Artificial Intelligence Systems (“AI Systems”) throughout the Member States, rejected a few of the tabled proposals.

The Joint Opinion addresses the following matters:

  • The exclusion of international law enforcement cooperation from the scope of the Proposal which might risk circumvention by third countries and international organisations using AI Systems within the European Union.
  • The need for clarification that the European Unions’ legislation on the protection of personal data pursuant to the various applicable laws (“EU Data Protection Law”), inter alia, the General Data Protection Regulation (EU) 2016/679 (the “GDPR”) and the Privacy and Electronic Communications Directive 2002/58/EC on Privacy and Electronic Communications (the “e-Privacy Directive”) shall mutatis mutandis apply to the use of AI Systems.
  • Whilst welcoming the risk-based approach method adopted within the Proposals, the EDPB and EDPS highlight the need to ensure that AI Systems, including those that do not involve the processing of personal data but still impact the interest or fundamental rights and freedoms of the individuals, to also fall within the scope of the Proposal. Furthermore, the EDPB and EDPS encourage that the risk-based approach be clarified and brought in line with EU Data Protection Law, since this would ensure that certain rights and remedies available to individuals subject to AI Systems are clearly indicated.
  • The EDPB and EDPS propose that compliance with legal obligations arising from European Union legislation should be a precondition to be allowed to enter the EU market as a CE marked product. They further recommend including the requirement to ensure compliance with EU Data Protection Law in the Proposal.
  • A complete prohibition on ‘social scoring’ which may possibly lead to discrimination and is contrary to EU fundamental principles. As it stands, the Act is proposing that it is only when carried out ‘over a certain period of time’ or ‘by or on behalf of public authorities’ that such practices are prohibited. Meanwhile private companies such as social media companies or cloud providers are allowed to carry out such practices.
  • The adoption of a stricter approach when remote biometric identification is used in public spaces.
  • That the Proposal adopts a better approach in listing the exceptional cases in which ‘real- time’ remote biometric identification in publicly accessible spaces is permitted for purposes of law enforcement. As a result of this, the EDPB and EDPS call “for a general ban on any use of AI for an automated recognition of human features in publicly accessible spaces”.
  • The EDPB and EDPS are also advocating for an ex ante third party conformity assessment to be carried out for high-risk AI. This conformity assessment should also be carried out each time a significant change is made, as proposed, however the threshold for ‘significant change’ should be clarified.
  • Elucidation on the role and tasks of the EDPS specifically when it is operating as a market surveillance authority.
  • Data Protection Authorities (“DPAs”) should be designated as the national supervisory authorities pursuant to the Proposal. This will ensure that a harmonised regulatory approach is adopted which will certainly overcome any contradictions in enforcements throughout the member states.
  • More autonomy should be granted to the European Artificial Intelligence Board (EAIB) in order to facilitate a “consistent application of the regulation across the single market”.

Of particular interest, in the Joint Opinion the EDPB and EDPS delves into the interaction between the EU Data Protection Law and the provisions of the Proposal. The EDPB and EDPS highlight the importance that the two frameworks to be complementary to each other and advised that any inconsistency or conflict should be eradicated as the lack of harmonisation could lead to directly or indirectly put the fundamental right to the protection of personal data at risk. Human oversight should be at the core of AI systems – this will ensure that not only will rights be respected and guaranteed but that they are altogether avoided.

The Joint Opinion recommends that the principles enshrined in the GDPR, predominantly that of transparency, should continue to apply when data is being used for AI training and/or prediction. Additionally, to ensure a high level of transparency, the EDPB and EDPS welcome the proposals contained in the Act that high-risk AI Systems be registered in a public data base. Likewise, data subjects shall continue to enjoy the rights granted by EU Data Protection Law such as the rights to restrict processing and erasure of personal data.

Finally, one of the fundamental pillars of the Proposal is the certification system which is based on a structure of entities. Regrettably, this system was not aligned with the certification system outlined under Article 42 and 43 of the GDPR. As a result, The Joint Opinion states that this may generate a great deal of legal uncertainty especially when high-risk AI systems which are based on the processing of personal data are involved. In the hope of clearing this disparity, the EDPB and EDPS recommend that certain amendments are carried out to the Proposal. The EDPB and EDPS propound that these amendments should be carried out with the involvement of the DPAs.

Although the Act proves to be a step in the right direction to allow technological advancements of such nature to prosper, the EDPB and EDPS remark that further work still needs to be carried out before a fully functioning legal framework can be adopted which can efficiently work and thrive within the Community.

For further information kindly contact us on [email protected].

Pin It on Pinterest

Share this

Share this post with your friends!