EDPB recommends DPAs as AI market surveillance authorities
The European Data Protection Board (EDPB) recommends designating Data Protection Authorities (DPAs) as the main AI oversight body for high-risk systems and potentially others.
The European Data Protection Board (EDPB) this week published a statement outlining the role of Data Protection Authorities (DPAs) in the recently enacted Artificial Intelligence Act (AI Act).
The AI Act, published in the Official Journal on July 12, 2024, lays down harmonized rules across the European Union (EU) for the development, deployment, and use of artificial intelligence (AI).
The EDPB emphasizes the complementary nature of the AI Act and existing EU data protection legislation, including the General Data Protection Regulation (GDPR). The statement highlights that the processing of personal data is intrinsically linked to the lifecycle of AI systems, particularly high-risk systems that could endanger fundamental rights.
The GDPR grants individuals various rights regarding their personal data, including the right to access, rectify, and erase it. The EDPB argues that DPAs, with their existing expertise in data protection matters, are well-positioned to oversee the AI sector and ensure compliance with both the AI Act and EU data protection law.
The statement makes specific recommendations to EU member states regarding the designation of competent authorities for AI supervision under the Act. The EDPB recommends that DPAs be designated as the Market Surveillance Authorities (MSAs) for high-risk AI systems, as mandated by Article 74(8) of the AI Act. This applies particularly to AI systems used in law enforcement, border management, and sectors crucial to democracy, as well as other high-risk systems identified in the Act's Annex III.
The EDPB acknowledges that some member states may have already designated MSAs. However, they recommend that DPAs still be considered for the remaining high-risk AI systems, especially those that could significantly impact individuals' data protection rights.
The statement argues that designating DPAs as MSAs would offer several advantages:
Single Point of Contact: DPAs could act as a central point of contact for the public, businesses, and other member state authorities regarding AI compliance. This would streamline communication and avoid confusion over overlapping regulations.
Consistent Enforcement: A unified approach to AI oversight across the EU would ensure consistent enforcement of the AI Act and data protection regulations.
Expertise and Independence: DPAs possess the necessary expertise in data protection and fundamental rights to effectively supervise AI systems. Their independence from commercial or political influence is also crucial for ensuring impartial oversight.
The need for close cooperation between DPAs, MSAs, and other entities involved in AI supervision is also emphasized in the statement. The EDPB stresses the importance of establishing clear procedures for collaboration to prevent inconsistencies in decision-making and leverage synergies for effective enforcement.
The statement concludes by calling for adequate resourcing of DPAs by member states. With the new responsibilities under the AI Act, DPAs will require additional human and financial resources to effectively fulfill their supervisory role.
The EDPB statement highlights the crucial role of DPAs in ensuring the responsible development and deployment of AI systems that respect fundamental rights and data protection principles within the EU. By leveraging their existing expertise and fostering collaboration with other oversight bodies, DPAs can contribute to a trustworthy and human-centric AI ecosystem.