After long discussions and a feedback process, we finally have the AI Act. The AI Act covers major concerns such as the ethical use of AI, AI governance, and risk management for AI systems. The future of responsible AI now has a clear legal path. It is hard to capture all the problems that can arise from AI, but in general, the AI Act covers the major foreseable problems that can and will arise. In the bigger picture, we will certainly encounter AI cases where the expertise of privacy professionals is needed to properly interpret the GDPR and the AI Act. Still, the combination of both will not give us the full picture of what awaits tech companies in Europe.

The EU Parliament had long discussions and passed many new legislations in a short amount of time. Forty-six new digital legislations have been adopted so far between 2019-2024. The European Commission’s plan, “A Europe fit for the digital age,” will continue during the new legislative period. The EU is dedicated to bringing Brussels into cyberspace. We could coin one further term as the Europeanization of Cyber Space. Certainly, the effect will be felt sooner or later, and already companies are rushing to understand what to comply with or whether they fall into the scope of the new legislation.

The new landscape in the EU for tech companies is drastically changing. More and more compliance measures are on the way. Like the “gold rush,” now there is a rush towards “compliance.” The AI Act will mark the compliance measures for AI, but that will not be enough considering the amount of legislation coming. The challenge arises for companies even to know what to comply with in the first place. For privacy professionals specifically, if they are not keeping up to date with the latest developments, it will be harder to help their clients.

What’s next for the AI Officer?

Companies also want to reach their business goals, but it can result in failure without knowing how to proceed. There must be a common ground where company interests, the legislative field, and best practices meet. The EDPB’s last statement about the Data Protection Authorities acting as Market Authorities for AI Act compliance also confirmed the intersection of AI and privacy concerns.

We work to help our clients use AI responsibly and appropriately apply privacy by design to their business operations. The questions we receive daily help to prepare consultants at TechGDPR for what is to come in the near future. 

• How to use AI responsibly in business operations? 
• What guidelines should be put in place for the data privacy and AI intersection? 
• Are there any other data-related legislations in the EU that companies should comply with?
• How does the GDPR affect the implementation of AI in business operations?
• What other legislations affect data processing in the EU?

These were some of the important questions that directed us to build the concept of Data Officer. The Data Officer role combines the traditional responsibilities of privacy professionals with the more complex European data landscape, where compliance intersects with new data laws and the AI Act. A Data Officer focuses on data protection procedures, manages data privacy policies, and keeps companies updated with AI Act requirements and how to use AI responsibly. The focus is on compliance, but another aspect of Data Officer is that it also aligns data strategy with business goals. Data governance, in its simplest terms, is handled by the Data Officer.

Benefits of a Data Officer for Companies

A Data Officer can help SMEs navigate compliance challenges and align their business goals with industry realities. One significant advantage would be that the approach is practical, backed up by case studies TechGDPR has solved. This helps companies operate safely in the EU, without worrying about upcoming changes or data compliance requirements. The state-of-the-art diligence and experience of the Data Officer will lead companies to better compliance.

Maintaining industry standards and aligning business goals with the EU’s complex data laws is challenging. TechGDPR consultants are prepared to guide companies through their new data journey in the EU.

With our experienced team and developed guidelines, the Data Officer will guide through the complex EU legal framework. Companies using Data Officer services will ensure solid privacy by design and AI Act compliance in their operations. Our niche experience with international clients helps companies turn data into a competitive advantage in the EU.

The post The Future of Responsible AI: The Essential Role of a Data Officer appeared first on TechGDPR.

A multitude of new regulations are either in the ordinary legislative procedure or already in force. These include the Data Act, the Data Governance Act, the Digital Services Act, the Digital Markets Act, the Cyber-Resilience Act, European Health Data Space Regulation, the Artificial Intelligence Act. Data regulations in the European Union (EU) are becoming more complex and challenging for businesses to comply with. The increasing number of administrative burdens and compliance requirements in these regulated areas are a valid concern for businesses. Supervisory enforcement, for enacted regulations will be a wake-up call for organizations that are not prepared. Tech players operating in the EU and authorities overseeing those activities face the similar challenge of adapting to legislative overlap. New fines, new supervisory authorities and new compliance requirements are expected. To better understand this burst of regulation, the EU’s strategic policies must be carefully examined.

What is the EU aiming for?

• The United States (US) and China (CN) have different advantages in the field of technological competitiveness. 
• The US has a strong private sector with abundant financial resources, while CN has a state-sponsored private sector. 
• The EU meanwhile wants to shape its own digital future, and create a competitive Digital Single Market while enforcing European democratic values. In a short span of time, the European Commission has implemented digital transformation policies to become more competitive in the global economy, reduce the carbon footprint that arises from the red-tape bureaucracy and go digital. 
• Better public services and comprehensive scientific research will be strengthened by the re-use of data envisaged in the European Strategy for Data. 

Understanding the distinct European view on data 

Greater productivity for IoT and data-enabled products are also on the list. But greater accessibility to data is needed to enable innovation in a data-driven economy. This explains why data intermediaries are expected to play a key economic role, as envisioned in the Data Governance Act. Making more data available to smaller players will be made possible by creating common European data spaces in strategic sectors. There are multiple underlying reasons for the data spaces, all of which align with the strategic data policies of the European Union.

• The new regulations are in line with the existing strategic objectives, allowing for organizations to get ahead of the game by embracing the EU’s strategic data policies. 
• The industrial data space and co-generated industrial data is part of the Data Act. 
• The common European health data space is also regulated with the upcoming European Health Data Space Regulation. 
• Green Deal data space, financial data space, energy data space, agricultural data spaces, are also mentioned in the “European Strategy for Data”.

EU strategic goals

• The digitalisation of public services and the digital transformation of businesses are of high priority in the 2030 Digital Compass: the European way for the Digital Decade. 
• The Digital Compass goals are consistent with the rising amount of data being created in the EU. 
• The EU is determined to maintain its regulatory norms and standards in its relations with international partners. 
• By 2030, the EU aims to build an interconnected data processing ecosystem conscious of fundamental rights and in full compliance with legal requirements. As stated in the 2030 Digital Compass policy, the EU will continue to promote the ethical use of AI, establish strict cybersecurity and resilience requirements, tackle disinformation and illegal content online, ensure the operational security of digital finance and facilitate transformation of e-government. Respectively, these strategic policies are being covered by the Artificial Intelligence Act, the NIS2 directive and Cyber-Resilience Act, the Digital Services Act, the Digital Operational Resilience Act for the financial sector and European Health Data Space Regulation.

Implications for the future

These new regulations pave the way for the EU to achieve its new industrial strategy of climate neutrality and digital leadership. They help to reduce the carbon footprint and prevent red tape bureaucracy. 

• The digital transformation is essential for a greener EU.
• The reuse of data is also critical. 
• As stated in the EU Strategy for Data, this includes greater productivity and competitive markets, as well as improvements in health and well-being. 

The emergence of data-driven ecosystems can prove itself in the long run but it may take years for the EU to figure out the interplay of new regulations within the existing legal frameworks, the preparation of new guidelines and the appropriate degree of coordination between supervisory authorities. 

The EU will need to ensure that data and data-enabled products and services are available throughout the single market. Considering the EU’s goal of building a legal digital framework and becoming an international market leader, similar regulations may spread over time to different continents through the Brussels Effect. The key intention is to create a European data ecosystem that is respectful of fundamental rights. Whether these strategic intentions will be translated into the regulatory scope as intended remains to be seen. 

The post Making sense of new EU-wide data regulations, the red thread behind the digital single market appeared first on TechGDPR.

The Economic Impact of AI

BITKOM, Germany’s digital association, conducted a survey revealing a significant finding: approximately half of all companies surveyed in the EU have already abandoned new, innovative projects. This is due to ambiguities in the interpretation of the GDPR. Fear of potential penalties and legal ramifications could further discourage companies from investing in new AI technologies.

The new AI act, which is still on the legislative agenda of the EU, will largely determine the competitiveness of the AI industry. The act holds the power to shape the EU’s AI industry for the next decade. However, the unprecedented challenge for the EU’s fast-paced tech industry is that of the different member state laws and regulations that prevent innovation. Privacy concerns of EU citizens are also another important topic that directly threatens AI innovation. The EU’s new AI Act envisions an AI regulatory sandbox to establish a sustainable competitive environment for AI technologies while safeguarding citizens’ fundamental rights.

High-risk AI system is also defined in Article 6(1) as: “The AI system is intended to be used as a safety component of a product, or is itself a product, covered by Union harmonization legislation” or “the product whose safety component is the AI system, or the AI system itself as a product, is required to undergo a third-party AI conformity assessment with a view to the placing on the market or putting into service of that product pursuant to Union harmonization legislation.“

AI regulatory sandboxes make it easier for innovators to conduct experiments with high-risk AI systems and test their products with fewer legal procedures. AI regulatory sandboxes also offer legal flexibility, but not absolute immunity.

Looking across all types of AI failures, the most frequent problem is privacy risks. High-risk AI systems have the potential to inflict greater harm upon the fundamental rights of citizens.

Figure: Floridi, L. et al. (2022) ‘Capai – A procedure for conducting conformity assessment of AI systems in line with the EU Artificial Intelligence Act’. (1)

The Role of the EU in AI Regulation

To effectively address the legal implications arising from AI failures, special attention needs to be given to the rules that shape the direction of the regulatory sandbox. These rules include: processing data for public interest, monitoring performance, risk mitigation, secure data environment, data transmission restriction, data subject impact reduction, technical documentation, record-keeping, and transparency for experimenters. These rules, designed to protect the privacy of data subjects, are in line with the General Data Protection Regulation (EU) 2016/679 (GDPR).

Article 54(1)(c) of the AI Act requires effective monitoring mechanisms to identify risks to data subjects’ fundamental rights in sandbox experimentation. If any issue arises that infringes upon the privacy of data subjects, the risks must be mitigated, and, if necessary, the processing halted altogether. Organization must maintain records of decisions and efforts carried out to halt data processing to demonstrate compliance. Each high-risk AI experimentation differs by nature, so a case-by-case examination is necessary. The balancing test between the participants’ interests in privacy and the experimenter’s interests may not practically be determined beforehand or for each experiment. The recommended best practice, also a GDPR Article 25 privacy-by-design requirement, is thus to involve privacy experts in designing the experiments.

Regulatory Sandbox for AI

AI regulatory sandboxes defined in the Article 53(1) of the new AI Act as: “a controlled environment that facilitates the development, testing and validation of innovative AI systems for a limited time before their placement on the market or putting into service pursuant to a specific plan.”

For the experiments being conducted, participants in the AI regulatory sandbox remain liable, and as stated in Article 53(2) of the AI Act, “Member States shall ensure that national data protection authorities and other national authorities are associated with the operation of the AI regulatory sandbox.” Additionally, the corrective powers of the competent supervisory authorities in relation to the data subject rights shall remain unaffected.

The AI Act also introduces practices, such as implementing quality management systems, maintaining technical documentation, and establishing post-market documentation plans, specifically designed for high-risk AI systems. However, the overarching goal is to ensure that these practices harmoniously implement privacy concerns to protect the fundamental rights. As stated in the ICO’s “Regulatory Sandbox Final Report,” practices such as using synthetic data for innovation can also help to reduce the risk to privacy. However, this information is still generated from real data and must be carefully analyzed.

The use of personal data for high-risk AI systems is challenging, but necessary in some cases, such as public health and safety. AI regulatory sandboxes facilitate this possibility, particularly when it serves the public interest in these matters. Nevertheless, supervisory authorities have the authority to halt the experiments if they deem it necessary. The new guidelines from the data protection supervisory authorities and the future cooperation of the European Artificial Intelligence Board are expected to reveal how the AI industry will be shaped within the EU’s Single Data Market policy.

(1) Floridi, L. et al. (2022) ‘Capai – A procedure for conducting conformity assessment of AI systems in line with the EU Artificial Intelligence Act’, SSRN Electronic Journal, p. 57

The post Strategic Compliance in the EU: Balancing Competition, GDPR and AI Regulation appeared first on TechGDPR.