Independent authorities between personal data protection and the AI Act

The European Data Protection Board (“EDPB”) issued on July 16, 2024, Statement 3/2024 on data protection authorities’ role in the Artificial Intelligence Act framework.

Regulation (EU) 2024/1689 on Artificial Intelligence (“AI Act”), published in the OJEC on July 12, 2024, provides for certain administrative authorities with specific tasks. 

Although the AI Act itself establishes an obligation to cooperate for these, also in compliance with the principle of sincere cooperation enshrined in Article 4(3) TEU and reiterated by the CJEU in the Bunderkartellamt case (c-252/21, July 4, 2023, paras. 53-63), the coexistence of these distinct authorities raises a problem of efficient coordination and adequate synergy between them.Today’s installment surveys the administrative authorities under the AI Act and the points of interaction with the national data protection authorities, the EDPB and EDPS.

National Competent Authority

The AI Regulation provides for the establishment or designation, that is, the assignment of specific tasks to a “competent national authority.” The choice between the establishment of a new authority and the option of assigning to an existing independent authority, the tasks provided for in the regulation, is left to each member state “in accordance with their specific national organizational characteristics and needs.”

Point (48) of Article 3, on definitions, states that the “national competent authority” can be either a “notifying authority” or a “market surveillance authority,” and Article 70 on the designation of national competent authorities and single points of contact requires that each Member State shall establish or designate at least one notifying authority and at least one market surveillance authority as national competent authorities in order to supervise the application and implementation of the Regulation (see also Recitals (153) and (154)).

The identity of these authorities and the powers vested in them are communicated by member states to the Commission, along with the single point of contact vis-à-vis the public and other counterparties, identified by the state in a market surveillance authority.

When the AI system concerns EU institutions, bodies, or agencies, the competent national authority is always the EDPS, with the power to impose fines in case of violations (Recital (156) (168) and Articles 70(9) and 100), as already provided for in the EU Institutions Data Protection Regulation 2018/1725 (EUDPR).The staff of “IA authorities” must have skills and knowledge that enable “an in-depth understanding of AI technologies, data and data computing, personal data protection, cybersecurity, fundamental rights, health and safety risks and knowledge of existing standards and legal requirements ” (Art. 70(3)). More extensive competencies, then, than those required of components of national data protection authorities under the GDPR.

Condividi

Post Recenti

A verbal communication can be a “processing”

CJEU C-446/21: Schrems v. Meta Platforms Ireland Ltd.

Data Governance Act and Italian adaptation law