EU Digital Laws Need Greater Focus on Technological Reality, IAPP Panel Says
DUBLIN -- EU digital rules such as the General Data Protection (GDPR) and AI Act must align with technological reality or risk harming innovation, speakers said Wednesday at the IAPP AI Governance Global Europe 2025 conference.
Sign up for a free preview to unlock the rest of this article
The GDPR, AI Act, ePriv Directive and Digital Services Act are among the raft of measures companies must now navigate, said Bojana Bellamy, Centre for Information Policy Leadership president. How these rules apply to AI is a key question, she said. Moreover, is additional regulation needed, or would fewer, simpler rules be better?
There are tensions between the GDPR and AI Act, Bellamy noted. The former applies to the latter, but issues remain, such as whether data subjects have a right to refuse to consent to the use of their personal information for AI model training or health research, she said. Another issue is how AI users can comply with data subjects' rights under the GDPR to access their data, she added.
Asked how privacy regulations are addressing the tensions between the two measures, Peter Craddock, a data protection and AI governance attorney at Keller and Heckman, questioned the assumption that AI tools actually process personal data.
If the information is used by an AI system to draw inferences, then when it arrives in the AI system it is not personal data but has been transformed into synthetic data, Craddock argued. If the goal is to limit harm from synthetic data and ensure individuals' rights are protected, the GDPR should be interpreted that way, he said. Rules and how they're applied must align with technological reality, Craddock said.
Resolving the tension between the GDPR and AI Act involves deciding GDPR's main objective. Boris Paal, Technical University of Munich chair for law and regulation of the digital transformation, said GDPR's first objective is privacy; its second relates to other rights around data. The European Data Protection Board and courts have focused too much on privacy and not enough on rights such as free speech and research, he said.
The tangle of EU regulations is preventing investors from funding startups in Europe, said Simone Skovshoved, Danish Entrepreneurs privacy head. Regulatory overreach has brought Europe to where it is today, she said.
The EC is expected to expand reporting requirements exemptions to organizations with fewer than 500 employees (see 2505090003). But instead of looking at the size of a company, Craddock said, the EC should consider what the company does and change the logic of the law to be more risk-based.
Panelists called for more centralization of regulations across Europe under a single authority. Germany, which has a federal data protection authority along with DPAs in each state, is considering centralization, but the states oppose it, Paal noted.
Craddock said what he wants from regulators are workable interpretations of laws. To do this, regulators must understand what a technology does.