The upcoming AI regulation of the European Union (internationally referred to as the AI Act) will bring about a world first regulation of AI systems among manufacturers and users. The spectrum of reactions in business, politics and the population ranges from "protective shield" to "dead blow" for the future development and use of AI in the EU.
The effects are already predicted to be as serious as those of the GDPR - not least because the AI Act is strongly modelled on the GDPR in its structure and mode of action. Thus, the AI Regulation will also deal with the processing of personal data as a core issue and pursue a risk-based approach. This will require those affected by the regulation to establish appropriate risk management systems that allow for risk and data protection impact assessments that are as reliable as possible and provide for appropriate technical and organisational measures for risk minimisation and damage limitation.
Currently, the AI Regulation is still in the making. Its last available status dates from the discussions in the European Parliament in June 2023, so a current assessment is only possible on this version, which next enters the trilogue negotiations between the EU Commission, Parliament and Council of Ministers.
But how should the interaction between the AI Act and the GDPR be assessed in light of this current state of affairs? Does the AI Act supersede the GDPR? Does it create new freedoms or additional restrictions? In principle, the aim of such regulations is not to make competition more difficult, but to regulate fair competition while taking into account the overriding protection of the rights and freedoms of the natural persons affected by processing.
It will be interesting to observe how the term "artificial intelligence" or "AI system" is ultimately defined, interpreted and understood within the meaning of the AI Regulation. Where does purely mathematical-technical processing end, and where does artificial intelligence begin? It will also be important whether the processing is carried out exclusively by AI or whether a human checks the results of the AI and then uses them for further processing.
Liability issues and the threat of fines, which both regulations provide for if a (non-legal) use of an AI system in the company ultimately leads to a data protection incident, can also cause uncertainty. In principle, the AI Regulation provides for significantly higher penalties than the GDPR, but can double sanctions occur under certain circumstances?
The lecture attempts to address all of these questions, to put the weal and woe of the upcoming AI Regulation into perspective and to shed light on the possible effects of the AI Act on the regulations of the GDPR already in force with a look at the current draft of the proposed legislation.