The key difference between the European Union’s Artificial Intelligence (EU AI) Act and the General Data Protection Regulation (GDPR) is that the former follows a product regulation approach while the latter is data subject-oriented, said Markus Wunschelbaum, legal advisor to the Data Protection Authority of Hamburg, Germany. He was speaking at PrivacyNama 2024, on a panel titled “Data Protection Authorities on AI and Data Protection.”
“It [EU AI Act] regulates systems, it regulates models, it regulates the value chain. So, it regulates development, testing, market placing, and then deployment. This is very different from the GDPR, which regulates all of those things, but doesn’t name them,” he explained. The AI Act did not consider data processing or data subjects as it was more concerned with regulating an emerging economic market, namely AI. He likened it to the way the EU regulated children’s toys, with a focus on safety requirements and risk mitigation.
How can the AI Act influence data protection?
Wunschelbaum also felt that data protection authorities could learn from the perspective adopted by the AI Act. He explained that the GDPR only covered data processing and did not get into the technical aspects of software, while the AI Act did. “Data privacy, in that way, becomes more precise. Before the AI Act, we might have not differentiated between an AI system and an AI model. We would have just said, AI. Somewhere, there must be personal data processing. That’s it, we will regulate this,” he stated.
He revealed that EU data protection authorities were in the middle of a debate on whether AI models themselves contain personal data. While a model may be trained on personal data and may even output it, does that mean the model itself contains the data? Such questions were nudging authorities to be more precise and get into the technicalities of AI, said Wunschelbaum. He also suggested that while the GDPR may not need a separate AI amendment, it needed to be reinterpreted to fit AI.
How should multi-purpose AI be regulated?
AI is useful for multiple purposes in different sectors or contexts, said Session Chair Malavika Raghavan. How would a data protection authority regulate such technology?
According to Wunschelbaum, the GDPR only considers data processing and doesn’t discriminate against any particular use. However, the AI Act follows a two-pronged approach, where it outright bans certain use cases like subliminal messaging or social scoring, and categorises different uses based on risk level and assigns appropriate compliance burdens. The AI Act places heavy transparency requirements on Generative AI systems that users could deploy for any purpose.
How would a regulator enforce data protection laws on AI?
Sri Lanka is gradually developing its data protection framework, said Jayantha Fernando, Director of the Sri Lanka Computer Emergency Response Team. He also chaired the drafting committee of the country’s Data Protection Act.
The South Asian island nation does not actually have a constitutional basis for privacy, said Fernando, requiring them to use other constitutional principles to draft the law. The government has adopted a light-touch approach, establishing a regulatory authority and publishing guidelines for stakeholder comments. The law mandates data protection impact assessments for high-risk processing activities, including those involving AI. He also stated that the law was not operational yet.
Given the fact that such a regulatory framework is new in Sri Lanka, the government has yet to establish a methodology for enforcement, which it would determine through future regulations. However, Fernando stated that preventative measures were better than a cure after damage was done. He also stressed the importance of striking a balance between promoting innovation and regulation.
How Does It Work In The EU?
Wunschelbaum highlighted the present uncertainty over choosing a regulatory body to enforce the AI Act. On one hand, DPAs have shown their interest in regulating AI. They argue that they are the only independent body present in every member state and have plenty of experience dealing with businesses and governments.
However, the AI Act adopts a product regulation perspective, which they lack experience in. “They [DPAs] regulated data processing, not products. They never went into the development of a product before it was even on the market and said, show me what you do. What they did is react to data subject complaints,” said Wunschelbaum. “Product regulation is really different because, on the one hand, you have to regulate from the start. And on the other hand, you also have to allow innovation to happen way more than what data protection law does by the letter of the law, because it’s about data protection, not data usage in that sense.”
Advertisements
Further, there are fears that DPAs would be too strict as regulators and may end up inhibiting innovation. That’s why Germany opted to assign AI governance to the infrastructure authority. However, other EU states like France and the Netherlands use DPAs to govern the AI ecosystem in their countries.
As different countries in the EU adopt different methods and agencies to enforce the AI Act, this could lead to a complex regulatory landscape that would hinder the consistent application of the Act. “That’s one of the drawbacks of having this new regulation because everyone’s hot on AI. Everyone wants to do it. Everyone wants to regulate it,” he said. However, such a rush could also lead to communication issues between different agencies.
A Justice-Oriented Approach Towards AI?
Shashidhar KJ, Managing Editor of MediaNama, postulated a fundamental tension in AI development and regulation. On one hand, data minimisation is a key principle of data protection. On the other, reducing bias in AI systems often requires more diverse and comprehensive data. This conflict was a crucial issue for AI systems used by the government for social benefits, where fairness was important. How could a balance be struck between minimising the data used to preserve privacy and ensuring fair and unbiased AI? Could there be a new, “justice-oriented approach” to data collection and privacy, he asked.
Session chair Malavika Raghavan also added two key concerns. One, AI systems may reproduce existing biases, potentially infringing on fundamental rights protections. Two, generative AI might provide incorrect or biased answers to questions. This could lead to targeting certain groups unfairly, as AI systems learn from online content that may contain objectionable or biased views.
Fernando stated that such situations were challenging scenarios that should be dealt with on a case-by-case basis and encouraged regulators to engage in discussions with experts. He suggested that a future National AI Centre in Sri Lanka could identify the key ingredients for a safe and trustworthy AI ecosystem.
Wunschelbaum, however, pointed out that data minimisation should not be an inflexible principle. “Data minimisation does not mean do not process data. It means to process data only as much as you need to,” he said. Therefore, if an AI system would become safer through a larger dataset or by retraining, that would not violate the principle of data minimisation.
Also Read:
Discover more from PressNewsAgency
Subscribe to get the latest posts sent to your email.