European Data Protection Supervisor Releases New Opinion on the EU’s Proposed AI Act

On October 24, 2023, the European Data Protection Supervisor (EDPS), which is the supervisory authority for the EU institutions, bodies, offices and agencies (EUIs), published a new opinion on the widely discussed proposal for an EU Regulation laying down harmonized rules on artificial intelligence (commonly known as the AI Act Proposal). Although the EDPS does not supervise the private sector, it plays an influential role in both the European and global regulatory community and this new opinion is, thus, a valuable addition to the current legislative debate.

The AI Act Proposal was published by the European Commission in April 2021 with a view to establishing harmonized rules for AI within the EU. In short, the purpose of this AI Act is to regulate the development and use of AI-based systems, based on the risks they entail. 

The EDPS previously issued a joint opinion in collaboration with the European Data Protection Board (in June 2021). However, this new opinion is solely the EDPS’ initiative, and it aims to provide further recommendations to the EU co-legislators as the negotiations on the AI Act Proposal enter their final stage. The opinion focuses on a number of institutional, legal and technical aspects related to the role and tasks of the EDPS as future AI supervisor of the EUIs.

Key takeaways:

• The EDPS supports the establishment of a legal framework for AI systems based on the EU values as enshrined in both the EU Charter of Fundamental Rights and the European Convention on Human Rights;
• The EDPS confirms the “red lines” set out in the earlier EDPB-EDPS joint opinion, stating that several uses of AI should be prohibited because they pose unacceptable risks to fundamental rights – including the use of AI for social scoring, categorizing individuals from biometrics, and individual risk assessments for law enforcement purposes;
• The new opinion also reiterates the view that national Data Protection Authorities should be designated as the national supervisory authorities, on account of their expertise in AI-related legislation. Simultaneously, the EDPS emphasizes the need for cooperation between these national authorities and other oversight authorities to ensure that AI systems are trustworthy, safe, and compliant with EU legislation in the field of their deployment;
• The EDPS stresses the need for clarity with regards to “high-risk AI systems” and regarding other notions, such as “provider” and “development”;
• The EDPS emphasizes that AI systems already in use at the date of applicability of the AI Act should not be exempted from its scope and should be required to comply with the AI Act requirements from its date of applicability;
• The EDPS welcomes its various proposed roles as notified body in the context of pre-market control (conformity assessment), market surveillance authority in the context of post-market control, and competent authority for the supervision of the development, provision or use of AI systems by EUIs;
• The EDPS emphasizes that the proposed AI Office, a new EU body that would support the harmonized application of the AI Act, must be independent if it is to strengthen enforcement in the EU and prevent providers of AI systems from engaging in ‘forum shopping’. It highlights the need to strengthen cooperation between the AI office and the EDPS in its role of AI supervisor. It expresses regret that it currently lacks voting rights on the AI Office’s management board, while national supervisory authorities have these voting rights;
• The EDPS recommends introducing the right to lodge a complaint before the competent supervisory authority, and to an effective judicial remedy against a decision of the authority before which a complaint has been brought (specifying the competences of the EDPS as a supervisory authority); and finally,
• The EDPS suggests providing, notably in case of the use of high-risk AI systems, the right to obtain human intervention and to contest the output of the decision-making, as well as a right to an explanation from the deployer of the AI system regarding any decisions significantly affecting the user.

In short, with its recent opinion, the EDPS aims to provide more specific advice as to how its tasks, duties and powers set out in the AI Act could be further clarified, as well as further recommendations on how to ensure effective enforcement of the AI Act through a true “European approach”.

We will continue to monitor the developments in this matter and keep you informed of any further updates.