AI Act: Data Protection Authorities want to be in charge of high-risk systems

18 July 2024

On 16 July 2024, the EDPB adopted a statement on the role that authorities can play in the European AI Act, published in the Official Journal of the European Union on 12 July.

During the latest plenary session of the European Data Protection Board (EDPB), data protection authorities sought a common position on their role in implementing the European AI Act published on July 12 and due to come into force from August 1st, 2024.

This new regulation provides for the designation of one or more competent authorities to assume the role of market surveillance authority, but it does not rule on the nature of the concerned authorities: this choice is up to each Member State, which will have to appoint one or more authorities by August 2, 2025.

In this context, European data protection authorities recall that they already have experience and expertise in dealing with the impact of AI on fundamental rights, in particular the right to the protection of personal data, and should therefore be designated as market surveillance authorities for a number of high-risk AI systems.

Such a designation would ensure good coordination between the different national authorities, as well as smooth articulation of the AI Act with the GDPR.

For the record, the CNIL is among the most advanced authorities on the subject in that it has an expert department dedicated to these issues and is implementing a global action plan to ensure the most virtuous possible deployment of these systems.

With this statement, the EDPB recommends:

  • As already suggested in the AI Act, designating data protection authorities as market surveillance authorities for high-risk AI systems used in the following areas:
    • Biometric identification, biometric categorisation and emotion recognition used for law enforcement, border management, justice and democracy purposes;
       
    • Law enforcement;
       
    • Migration, asylum and border control management;
       
    • Administration of justice and democratic processes;
  • Designating data protection authorities as market surveillance authorities for other high-risk AI systems that may impact the rights and freedoms of individuals, in particular with regard to the processing of their personal data;
     
  • Designating of data protection authorities as a single point of contact for the public and their counterparts at Member State and EU level;
     
  • Establishing clear procedures for cooperation between market surveillance authorities and other national competent authorities, as well as appropriate cooperation between the AI Office (European Commission), data protection authorities and the EDPB.