In April 2021, the EU Commission published its draft legislative proposal on artificial intelligence (the AI Regulation Proposal), which aims to address the risks of AI without constraining AI’s social and economic benefits (see our briefing for a detailed analysis). Shortly after its publication and early on in a discussion expected to last at least two years, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have now published a joint opinion on the AI Regulation Proposal.
The EDPB and the EDPS have proposed a range of changes to the AI Regulation Proposal. Interestingly, these changes include a ban on all AI-powered automated recognition technology in publicly accessible spaces, a ban on any type of social scoring, and a ban on AI systems that group individuals using their biometric data.
While the EDPB and the EDPS welcome the risk-based approach the EU Commission has taken in the draft AI Regulation Proposal, they emphasise that the current framework is far from ready, voicing concerns in several areas detailed below.
- Scope: the EPDB and EDPS are encouraged that the scope extends to EU institutions, bodies and agencies, but strongly criticise that the current AI Regulation Proposal does not cover international law enforcement cooperation, ie public authorities in the EU using information gathered by certain AI applications operated in third countries.
- Harmonised competencies: the EDPB and EDPS highlight the need for a consistent approach towards the AI Regulation and European data protection laws, particularly the GDPR. To achieve harmonised enforcement of these rules, the EDPB and EPDS suggest that the current data protection authorities should also be designated as the national supervisory authorities under the AI Regulation. Many commentators’ first thoughts on who could be a competent authority support this, given the increasing importance of data protection authorities and their increasing personnel. However, the EDPB and EDPS are not exactly neutral on this topic, as the EDPB is composed of representatives from the different national data protection authorities and the EDPS.
- Bans: the EPDB and EDPS call for an enhanced number of bans on certain types of AI systems. The draft AI Regulation contains a list of prohibited AI practices that are deemed unacceptable for contravening Union values from the EU Commission’s point of view. This includes AI practices that have the potential to manipulate people or exploit the vulnerabilities of specific vulnerable groups (children, people with disabilities etc) and the use of social scoring systems by public authorities. The EDPB and EDPS propose to expand or introduce bans on further AI systems, including systems for automated recognition and categorisation using sensitive biometric data, systems for inferring emotions and any type of social scoring.
Potential consequences of the opinion
The EDPB and EDPS’ opinion is likely to be influential because the current AI Regulation Proposal undoubtedly raises issues relating to data protection laws.
The EDPB and EDPS’ suggestion to allow data protection authorities to govern and enforce the provisions in the (eventually) finalised AI Regulation could solve part of the problem, especially where compliance with the AI Regulation might not automatically result in compliance with the GDPR. The various stakeholders might indeed benefit from having a single authority as a point of contact on issues related to data protection and AI.
The proposed bans would have a particular impact on law enforcement agencies and private organisations. A ban on automated recognition technology would cover everything from DNA, fingerprints, voice to keystrokes in any context. In the current draft AI Regulation, automated recognition technology could be used publicly in limited situations for law enforcement purposes. The opinion, however, stresses that these exceptions go against the proportionality principle because substantial amounts of biometric data would need to be processed for facial recognition to be effective.
Similarly, the EDPB and EDPS want to extend the ban on social scoring to prohibit any type of social scoring. This would affect organisations like credit rating agencies and subsequently any entity using data provided by them like banks and operators of online stores. Even more widely, the ban would also affect other organisations that develop social media or networking applications, which use social scoring algorithms to measure engagement or categorise data. A per se ban will undoubtedly lead to challenges for any technology organisation that relies on such algorithms.
In conclusion, the EDPB and EDPS’ Opinion shines a spotlight on many complex issues that still need to be resolved before the legislative process can kick off.
Expanding the competencies of the data protection authorities may simplify enforcement but tightening the regulations and prohibitions may create new uncertainties and challenges for both organisations and public authorities. We are almost certain to hear more from the EDPB and EDPS on the AI Regulation.