knowledge 14 August 2024 |

EDPB Statement on the Role of Data Protection Authorities in the AI Act

On 16 July 2024, the European Data Protection Board (EDPB) adopted a statement on the role that it proposes Data Protection Authorities (“DPAs”) play under the Artificial Intelligence Act (“AI Act”) (see here) (“Statement 3/2024”). The AI Act entered into force on 1 August 2024 and is aimed at creating a regulatory framework for the development and use of human-centric and trustworthy AI in the European Union that ensures safety, transparency and respect for fundamental human rights (e.g. privacy and data protection rights). Our briefing here provides more information on the AI Act’s key implementation dates.

In Statement 3/2024, the EDPB proposes that national DPAs should play a prominent role in the AI Act’s enforcement framework as they already have experience and expertise on AI-related issues that involve the processing of personal data. The EDPB states that DPAs have proven to be indispensable actors in the chain leading to the safe, rights-oriented and secure deployment of AI systems in several sectors. The EDPB also expresses the view that the AI Act and EU data protection legislation should be considered as complementary and interpreted coherently together.

Article 70 of the AI Act requires that each EU Member State designate at least one Market Surveillance Authority (“MSA”) by 2 August 2025. An MSA is the national authority carrying out the activities and taking the measures pursuant to the Market Surveillance Regulation (Regulation (EU) 2019/1020).

The EDPD makes a number of recommendations, including:

• DPAs should be designated as MSAs by EU Member States for high-risk AI Systems used in the following areas:
  • Biometric identification, biometric categorisation and emotion recognition AI systems insofar as such are used for law enforcement, border management and justice and democracy;
  • Law enforcement;
  • Migration, asylum and border control management; and
  • Administration of justice and democratic processes.
• Taking account of the views of the national DPA, Member States should also consider appointing DPAs as MSAs for the other high risk AI systems, that are set out in Annex III to the AI Act, which impact on the rights and freedoms of natural persons with regard to the processing of their personal data.
• Designating DPAs (that are acting as MSAs) as a single point of contact for the public and their counterparts at Member State and EU level.
• Establishing clear procedures for cooperation between MSAs and other entities which are tasked with the supervision of AI systems particularly those in the field of product safety, competition, digital and media services, financial services and consumer protection. The EDPB notes that such procedures should be based on the principle of ‘sincere cooperation’ (as provided for in Article 4(3) of the Treaty of the EU, as highlighted by the Court of Justice of the EU in Bundeskartellamt). The EDPB states that, in this way, inconsistencies between decisions taken by different oversight authorities and bodies can be prevented in the digital ecosystem, and synergies can be exploited in coherent and complementary enforcement actions for the benefit of individuals and in the interests of legal certainty.
• The EDPB notes that whenever a general purpose AI model or system involves the processing of personal data, it may fall under the supervisory remit of a national data protection authority and of the European Data Protection Supervisor (EDPS) (when it falls under the Data Protection Regulation for EU Institutions (Regulation (EU) 2018/1725)). Therefore, national DPAs and the EDPS cannot but be properly involved where questions arise as to matters falling within the scope of EU data protection law in the supervision of those systems.

Finally, Statement 3/2024 is important as we see the EDPB weighing-in with a strong view that the national DPAs should have a prominent role under the AI Act. It will be interesting to see if this propels EU Member States to expand the remit of their data protection authorities so that they take on a greater role under the AI Act.

For more information, please contact the key contacts below from the Technology and Innovation Group.