Regulatory Collaboration Key for Plethora of EU Digital Laws, Privacy Experts Say

Some data protection authorities (DPAs), such as France's CNIL, have expressed willingness to oversee AIA compliance, Pirvan said. AI governance, however, is more complex than GDPR, she noted: Ireland has appointed at least 12 different regulators to handle AIA investigations and violations.

Collaboration between competition and data protection regulators has occurred for years at the EU and national level, Pinsent Masons data protection attorney Aurelie Caillard and digital regulation attorney Wesley Horion wrote in an email.

The European Court of Justice (ECJ) has confirmed that some level of cooperation between competition and data protection authorities must exist in certain cases, the lawyers said. "This is a blueprint -- there are many cases where this cooperation between experts in different fields is necessary, and the number of those cases is rapidly expanding as new tech and services further blur the lines which the regulators were first designed to oversee."

The ECJ addressed the issue of cooperation between competition and data protection authorities in Meta Platforms & Ors (Case C-252/21), the lawyers said. It confirmed that national antitrust authorities can investigate and penalize GDPR noncompliance when it relates to a breach of competition law. The court stressed that while competition authorities may examine GDPR infringements, they must cooperate with DPAs to ensure the GDPR is applied consistently.

In a Jan. 15 plan, the European Data Protection Supervisor called for creation of a Digital Clearinghouse 2.0 to ensure a consistent, coherent approach to EU laws regulating digital markets (see 2501150005). The digital regulatory environment is no longer just about the GDPR, the EDPS said: Other key laws, such as the AIA, Digital Services Act, Digital Markets Act and Data Act, also need coordination to avoid a patchwork of rules.

Austria's data protection authority on Wednesday published FAQs about the intersection of AI and data protection. Among other topics, the document provides information on the relationship between the AIA and the GDPR.

The Wednesday webinar addressed how companies can manage the interplay between the AIA and GDPR. The two have some common areas but also key distinctions, Pirvan noted.

Both measures are rooted in the protection of fundamental rights, Pirvan said. Data protection authorities and officers are familiar with new technologies such as AI because the GDPR requires that they assess their impact. A great deal of work has already occurred under the GDPR in managing compliance, which helps companies consider how those same elements can be used to comply with the AIA.

Another area where GDPR compliance can help with AIA compliance arises from the fact that under the GDPR, organizations must map the systems they use for personal data, Pirvan said. They can then leverage that mapping to flag use cases and systems that contain elements of an AI system. Companies don't have to start from scratch, she said.

There's a "huge difference" between the AIA and GDPR, however, in that the former is essentially a product-safety regulation, Pirvan said. Beyond the fundamental rights impact assessment the AIA requires, there are also conformity assessments to ensure the system is safe to market.

It's likely that current impact assessment templates under various laws, such as for data protection and risk, will need to be revisited, Pirvan said. The templates will have to look holistically at people's fundamental rights that AI could affected, such as free speech and freedom of assembly. These rights go beyond the realm of data protection rights under the GDPR, she said.