EDPB and EDPS respond to the European Commission's proposed artificial intelligence regulation

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) published a joint opinion on 18 June 2021 on the European Commission's proposed artificial intelligence (AI) regulation. For further information on the European Commission's proposal itself, please see our previous blog post here.

In the joint opinion, the EDPB and the EDPS appear to welcome the European Commission's proposal to regulate the use of AI systems in the EU, viewing the regulation as necessary to protect and maintain the fundamental rights of EU individuals. However, the EDPB and EDPS stress that more work needs to be done to establish:

• how the legal framework to regulate AI systems which encourages innovation whilst also protecting the fundamental rights of individuals, is going to operate;
• the intrusive forms of AI which should be prohibited; and
• the interaction between the new AI regulation and existing legislation, including the GDPR.

We set out our key takeaways from the joint opinion below.

Key Takeaways

• Clarity needed over relationship with existing EU data protection law: As autonomous decisions are often made in reliance on personal data and data processing activities, the EDPB and EDPS find the current proposal's failure to clearly define the interaction between the new AI regulation and existing EU data protection law to be lacking. In their view, there should be an explicit requirement for organisations seeking to develop or implement AI systems to ensure compliance with the GDPR.

From a practical perspective, this would mean that organisations seeking to develop or implement AI systems would need to incorporate privacy by design into every stage of their development and ensure that all data protection requirements can be met including in relation to transparency and the implementation of adequate technical and organisational measures. For example, data subjects would need to be informed if their personal data is to be used for AI training/predictions and in relation to the rights available to them under the data protection laws.

• Prohibition of intrusive forms of AI – The EDPB and EDPS consider that certain uses of AI are contrary to the EU's fundamental values such as those which lead to discriminatory practices or which have a negative impact on the ability for individuals to exercise freedom of expression and movement. A number of specific examples given include the use of AI in connection with:
  • interfering with the emotions of a natural person (except for well-specified use-cases such as for health or research purposes);
  • automated recognition of human features in publicly accessible spaces (which includes faces, fingerprints, DNA, voices, keystrokes and other biometric or behavioural signals) for large-scale remote identification in online spaces;
  • categorising individuals from their biometrics into clusters according to ethnicity, gender or political/sexual orientation; and
  • any type of social scoring.

The EDPB and EDPS deem such uses of AI to be highly undesirable and in the EDPB and EDPS's view these ought to be prohibited entirely rather than merely classified as "high-risk" as per the proposal.

• Risk assessment: The proposal sets out four categories of AI systems based on the risk that they present to the fundamental rights and safety of individuals (for more detail, please refer to our previous blog on the proposal here). The proposal also explains that organisations will only be subject to regulatory obligations and restrictions when AI systems are likely to pose a high level of risk to the fundamental rights and safety of individuals, something which will need to be assessed on a case-by-case basis.

The EDPB and EDPS note that the proposal's emphasis on the potential impact of AI systems on individuals fails to address risks which apply to groups of individuals and society as a whole, such as group discrimination and the expression of political opinions in public spaces. Further, the EDPB and EDPS suggest that the concept of "risk to fundamental rights" to individuals should be aligned with the equivalent concept under the GDPR.

The EDPB and EDPS query the proposal's pledge for an exhaustive list of high-risk AI systems to be maintained as this would need to be regularly updated to keep pace with evolving technology/use of AI systems.

• Clarification of the EDPS's role and the relevance of Data Protection Authorities (DPAs): Whilst the EDPB and EDPS welcome the designation of the EDPS as the competent authority and the market surveillance authority, they urge legislators to clarify the EDPS' future role and responsibilities under the proposal as failing to do so could potentially threaten the EDPS' ability to fulfil its obligations as data protection supervisor.

Furthermore, the EDPB and EDPS highlight that DPAs already enforce data protection legislation such as the GDPR and benefit from a pre-existing understanding of AI technologies and data. They therefore suggest that DPAs should be designated as additional national supervisory authorities under the proposal.

• Lack of international law enforcement cooperation: The EDPB and EDPS welcome the extension of the proposal's scope to cover the use of AI systems by EU institutions, bodies and agencies and ensure a coherent approach across the EU. However, they express concerns in relation to the exclusion of international law enforcement cooperation from the scope of the proposed regulation as this exclusion creates a significant risk of circumvention, for example by third countries or international organisations operating high-risk applications relied on by public authorities in the EU.
• More autonomy required for the European Artificial Intelligence Board (EAIB): The EDPB and EDPS recognise the need for the proposed legal framework to be applied in a consistent and harmonised manner across the EU as overseen by the EAIB. However, they suggest that the EAIB will require more autonomy than is currently afforded to it in the proposal if it is to fulfil this role with a view to achieving such consistency across the EU. Furthermore, they urge legislators to introduce cooperation mechanisms between national supervisory authorities and provide a single point of contact for individuals and organisations wishing to raise concerns about the legislation.
• Certification mechanism: The proposal suggests that organisations implementing or developing high risk AI systems will need to obtain a certification to demonstrate their alignment with the EU AI framework. In EDPB and EDPS's view, it is unclear as to how this will work in practice and whether this process will align with the certification mechanism under Articles 42 and 43 of the GDPR.

The Way Forward

The EDPB and EDPS appear to view the proposal as a step in the right direction in relation to building a legal framework around AI. However, there is a lot of work to be done in the years before the proposal is passed into law to address all of the issues set out above.

More recently, the commission adoption feedback period closed on 6 August 2021 with more than 304 comments from stakeholders, which further indicates that the European Commission will need to revisit certain aspects of the proposal in addition to those set out above.

In the meantime, businesses seeking to make use of AI should keep an eye on any updates to the proposal. Those seeking to use AI to process personal data should also take note of the ICO's newly released AI and Data Protection Risk Toolkit to get an idea of the ICO's views on the associated risks and maintaining compliance with data protection laws when implementing AI systems.