The House of Data Imperiali bulletins are extracts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email: segreteria@imperialida.com

A. I. between expectations and doubts – second part

Anticipated by the work of the High-Level Expert Group on AI (Ethics Guidelines for Trustworthy AI of April 2019 and Policy and Investment Recommendations for Trustworthy AI of June 2019) and the EU Commission’s own White Paper on AI (19/2/2020), the proposed Artificial Intelligence Act (AIA) regulation was published by the Commission on April 21, 2021 (COM/2021/206 final).

Although it has been said that it represents the first regulatory example of this issue on an international scale, in truth in early 2021, the United States enacted the US National AI Initiative Act; the European proposal, however, promises to become a further international benchmark on this issue, what some have called “the Brussels effect”.

 

Summary

Figure: EU Overview on Artificial Intelligence

 

Legislative procedure of the AIA proposal

The proposal relies on the legislative instrument of the regulation – as has already been the case for the GDPR, the Digital Markets Act (COM/2020/842 final), the Digital Services Act (COM/2020/825 final), the Data Governance Act (COM/2020/767 final) – which, once finally approved by the European legislature, will be directly binding in all 27 Member States. It has been said (Celeste 2019, De Gregorio 2021) that this embracing regulation at the Union level induces the development of a “digital constitutionalism”, as it introduces with secondary rules of European law, founding principles and rules of the digital universe, from which individuals will benefit.

Previously, the European Parliament, in its recommendations to the Commission in its Resolution of 20 October 2020, had highlighted that it was “essential to have uniform, principle-based legislation throughout the Union, adapted to future needs, for all AI systems; [Parliament] is of the view that, although sectoral regulations are preferable for the wide range of possible applications, a horizontal and harmonized legal framework, based on common principles, appears necessary to ensure legal certainty, set uniform standards throughout the Union and effectively protect European values and citizens’ rights.”

Time to full application

Since this is a proposal, there are two obvious consequences:

  • its current contents will not be precisely the final ones, as the final text will be the one resulting from the negotiation of the trilogue between Parliament and EU Council, with the participation of the Commission
  • the temporal forecast of the full application of these rules is uncertain but presumably protracted. In the case of GDPR it took four years of negotiation and two years of transitional period have been provided.

 

Interrelations with GDPR

The AIA proposal raises several questions about the interrelationship with the GDPR that are not always answered in the Commission document. Even the references in the text raise doubts and concerns, which have also been the subject of positions taken by the EDPB and EDPS in the 

by the EDPB in the 

Positions of the EDPB on legislative proposals” document.

 

The links in the proposal are:

  • statement that the proposal ensures “consistency with the Charter of Fundamental Rights of the European Union and existing EU secondary data protection law” and “is without prejudice to the General Data Protection Regulation (Regulation (EU) 2016/679) and the Directive on Data Protection in Police and Judicial Activities (Directive (EU) 2016/680) and complements them with a set of harmonized rules applicable to the design, development and use of certain high-risk AI systems as well as restrictions concerning certain uses of remote biometric identification systems.” (Report §1.2)
  • the notion of biometric data (possibly the subject of AI systems), which is considered to be in line with and should be interpreted consistently with the notion contained in the GDPR (Recital 7).
  • the reference to Article 9.1 of the GDPR for the use of biometric data affected by the use of AI systems (Recital 24).
  • the identification in the AIA Regulation as the legal basis for the use of personal data collected for other purposes for the development of certain AI systems in the public interest, having regard to Article 6.4 GDPR (Recital 72).
  • the legitimate use of special Article 9 GDPR data categories by AI system providers “to the extent strictly necessary to ensure monitoring, detection and correction of bias in relation to high-risk AI systems” (Art. 10.5).
  • the forecast for the use of descriptive information about high-risk AI systems released by providers (Art. 13) by users (holders of the relevant processing) to carry out the impact assessments required by Art. 35 of the GDPR (Art. 29.6).

These suggestions appear at times to be generic, offer solutions that are not always agreeable and do not seem to satisfy all the questions raised by an effective and efficient harmonization between the two regulations.