Belgian DPA publishes guidance on interplay between GDPR and AI Act
On September 19, 2024, the Belgian Data Protection Authority (DPA) released new guidance regarding the relationship between the EU Regulation on Artificial Intelligence (AI Act) and the General Data Protection Regulation (GDPR). This guidance aims to clarify how AI systems that process personal data must comply with existing data protection laws. Data Protection Officers are highlighted as key figures in ensuring that companies adhere to both regulations, particularly when utilizing AI technologies that rely on personal data for decision-making and predictions.
AI systems are characterized as tools designed to analyze data, recognize patterns, and make informed predictions. The DPA provides examples of AI applications, such as spam filters, streaming recommendation systems, and virtual assistants. While the AI Act lacks explicit references to the fair use of AI, the GDPR emphasizes fairness in data processing. The AI Act mandates that AI systems should be trustworthy and free from bias, necessitating businesses to provide clear information on data usage and decision-making processes, especially for riskier AI applications.
The guidance also notes that the AI Act does not specify rules for personal data retention. However, businesses must still establish retention policies that comply with GDPR requirements. There is a distinction between the two regulations regarding automated decision-making; the GDPR grants individuals rights against automated decisions based on their personal data, while the AI Act requires human oversight throughout the AI system’s lifecycle. This means businesses must implement governance measures that ensure human involvement at all stages of AI deployment.
Finally, the DPA emphasizes the need for companies to ensure compliance with both the AI Act and GDPR, particularly when designing AI systems that process personal data. Businesses are encouraged to evaluate how these regulations apply to their operations and to develop compliance plans as necessary. The guidance serves as a crucial reminder of the importance of data protection in the evolving landscape of artificial intelligence.
