Data protection does not stand in the way of using AI.

On 29 June, the European Data Protection Supervisor (EDPS) published his opinion on the Commission's White Paper on “Artificial Intelligence” dated 19 February. He follows the Commission's views on many areas but also differs from them on some essential points. This is most evident in the Commission's regulatory approach, which distinguishes only between two levels of risk, with robust additional rules only for high-risk algorithms.

According to the EDPS, a nuanced approach would be preferable, allowing for gradual assessments. Furthermore, certain requirements should be applied to all types of AI, regardless of the level of risk, such as the principle of transparency or the prohibition of unfair discrimination. 

Inaccuracies in the definition of "artificial intelligence" are viewed with criticism. The Commission document offered several approaches without specifying which one should be used as the basis for a new legal instrument. However, the proposal of the EDPS does not provide clarity in this respect either. The industrial policy orientation of the Commission's initiative, which aims to promote an accelerated broad use of AI, e.g. in public administrations, is also viewed with scepticism. 

In contrast, AI is not a cure-all, but a tool whose use should be assessed on a case-by-case basis. In particular, the assertion was not substantiated that the technology was already ripe for large-scale application in the health sector; such statements promoted the risk of "blind" application.  

The Euro­pean Data Pro­tec­tion Supervisor's report leaves the question of whether new European rules on the targeted use of AI are indeed necessary open. In any case, there was no need for European data protection rules. These are technology-neutral and do not prevent the use of new technologies. However, the need for a change in European liability rules was not sufficiently clearly elaborated in the White Paper. The problem of subsequent changes to software already in use is not new and above all not specific to AI. First of all, he said, it is now a question of ensuring that existing EU legislation is applied consistently.

Whatever new European regulatory framework for AI is planned, it should clearly define, in the context of the impact assessment, where there are currently regulatory gaps. Any future legal framework must respect privacy and human rights, including the principles of transparency, traceability, human control and non-discrimination.

EDPS's position is accessible here.