The entry into force of the Regulation of the European Parliament and of the Council Establishing Harmonized Legislation on Artificial Intelligence – the so-called “AI Act.
AI Act – represents the first attempt to legally regulate the operation of artificial intelligence systems.
In practice, however, the act raises a number of controversies concerning, among other things.
copyright law, liability for damages caused by AI, but also the processing of personal data.
Does the AI legislation change the rules for processing personal data?
Basic information on the implementation of RODO and AI into the legal order
The EU legislature has adopted a completely different strategy for the requirements to be met by an entity covered by the AI Act and RODO.
The former requires the implementation of different types of standards and mechanisms regarding, among other things:
- risk management;
- data management;
- technical documentation;
- transparency obligations;
- impact assessment on fundamental rights.
However, it is important to realize that the AI ACT itself does not grant users any rights (interestingly, the AILD, which has not yet been enacted, does so).
In the case of the RODO, this is quite different, as the regulation does not indicate exactly what needs to be done, but specifies the result to be achieved.
This result is primarily to secure data protection and enable data subjects to exercise their rights.
Which artificial intelligence systems are addressed by the RODO and which by the AI Act?
A new EU law covering AI concerns the application of artificial intelligence.
However, it is important to note that the regulation primarily refers to high-risk artificial intelligence (AI) systems. high-risk AI).
Oznacza to, że do tych systemów stosuje się równolegle akt o sztucznej inteligencji oraz RODO.
Do pozostałych osiągnięć nowych technologii stosuje się wyłącznie RODO.
AI Act versus the General Data Protection Regulation.
How to apply them simultaneously?
First of all, it is worth noting the wording of paragraph 1.2 of the AI Act’s Preamble.
In it, the EU legislator indicated that the AI Act regulation does not in any way violate the RODO 2016/679 regulation.
This means that the two legal acts operate on the same level complementing each other.
AI developers, as well as system providers and operators, are subject to exactly the same data processing rules as all other market participants.
It can be said that risk management in the design and use of AI systems must take into account both the grounds that legalize the processing of personal data and the rules for managing it.
In practice, therefore, some AI-based systems must comply with both regimes of standards – the AI Act and RODO.
Część z nich będzie się pokrywała, np. ograniczenia w zakresie zautomatyzowanego przetwarzania danych osobowych i wykorzystanie modeli sztucznej inteligencji, które bazują na podprogowej ingerencji w zachowanie osób fizycznych.
However, this doesn’t always have to be the case, so the use of artificial intelligence should be preceded by an audit of both AI Act and RODO regulations.
How to train generative artificial intelligence models in compliance with RODO?
Currently, tools based on generative artificial intelligence are very popular.
This can include, among others.
Chat GPT, Dall-E, Google Bard or Jasper, among others.
Their common denominator is that in order to use AI, it is necessary to “train” it, i.e. provide resources and modify parameters to obtain the most accurate results.
Currently, regulators involved in the personal data sector have not developed a unified position on whether such AI can process users’ personal data for development purposes.
A good example is the ruling of the Italian GPDP, which held that it is permissible for a personal data controller to invoke the legitimate interest rationale (Article 6(1)(f) of the RODO).
It can be expected that in order to avoid ambiguity and the risk of a severe sanction, the designers of artificial intelligence tools in the future will introduce the possibility of to withdraw consent or object by the user to the use of his/her personal data, provided that the functionality of the software is affected.
Why is the implementation of the AI Act and RODO so important?
Leaving aside the risk of hefty fines associated with ignoring EU regulations, both AI Act solutions and the RODO regulation create compliance obligations on the part of businesses. Meeting the requirements indicated in the legal standards guarantees the conduct of business in accordance with the law.
In both cases, it is worth remembering that compliance audits should be conducted periodically and repeated each time new solutions are implemented that modify existing processes.
Who will be in charge of evaluating the use of artificial intelligence?
Compliance of AI tools and personal data processing rules will be under the same regulatory authority in Poland (as probably in other EU countries).
Expanding the competencies of the Office for Personal Data Protection will make it possible for entrepreneurs to be controlled on two levels in parallel.
Doubts and legal problems with artificial intelligence are increasing the risk of a chilling effect among system manufacturers fearing heavy sanctions for failing to meet the new requirements, or for failing to properly integrate an AI system with RODO regulations.
Responsible risk management and the provision of tools that are not only effective, but also work in accordance with the RODO and AI Act requires the support of professionals.
We invite both entities involved in AI design and entrepreneurs who use them to work with us.
Our law firm specializes in new technology law and offers comprehensive support in this area.
Meta title: AI Act and RODO.
Can these regulations be applied simultaneously?
Meta description: Artificial intelligence is increasingly being used in business.
Reconciling the AI Act and RODO, however, raises many questions.
How to apply them?
Link to analysis in Contad:https://app.contadu.com/analysis/content-preview/385ef5ad810f6143/0f1754f68d5585e9d8d6e1ef48ea6dd15d3