The EU AI Act was adopted by the Council of the European Union on May 21, 2024. It will be officially published in the EU Official Journal during the second half of July and likely to come into force by August this year, instead of July as previously assumed. However, numerous legal rules for artificial intelligence (AI) apply already.
The European Commission's internal timetable for how the EU executive is preparing for the implementation of the AI regulation will therefore also be pushed back by a few weeks. The timetable assumed that the regulation would come into force in June or July. The AI Act will be fully applicable 24 months after its entry into force. However, the ban on AI systems that pose unacceptable risks, for example, will already apply six months after entry into force. This means that companies will likely no longer be allowed to use prohibited AI technologies starting in February 2025. Violations will then be subject to high fines, similar to the General Data Protection Regulation (GDPR).
There is an immediate need for action for the use of AI around data privacy, as the GDPR already applies. For example, the recommendations of the German Data Protection Conference (DSK) must already be observed for AI now: The guidance issued by the DSK on May 6, 2024, "Artificial Intelligence and Data Protection - Version 1.0,” for example, contains a whole series of legal requirements. It applies to any AI application in which personal data is processed with or through AI.
For example, according to the DSK, the data controllers themselves must verify whether and to what extent the AI application that they use has been trained in a lawful manner. Specifically, this means that when selecting and using generative AI systems in particular, the covered businesses must check and document whether the AI system to be deployed or developed has been trained in accordance with applicable (data privacy) law. If the business has not trained the AI system itself, it must, according to the DSK, verify whether the AI system produces incorrect results, which is difficult to do in practice.
When using an AI application, the DSK requires businesses to determine which specific fields of application are to be considered. The DSK is of the opinion that closed systems should be preferred over open systems (such as cloud-based systems), which will pose at least some challenges in practice. This rule applies in particular to AI systems that are used in connection with legally relevant decision-making (e.g., for application procedures). In all cases, businesses should establish internal regulations on the use of AI and provide training for their employees. When using AI systems from third-party providers, the DSK guidance requires that separate data processing agreements or joint controller agreements under the GDPR be concluded.
Overall, it is clear that data privacy and AI can hardly be separated from each other. In practice, businesses should be mindful, for example, that only a fundamentally irreversible anonymization of the data, but not a (mere) pseudonymization, leads to the exclusion of the applicability of the GDPR.
The rules of the new AI Office in Brussels, which is intended to safeguard a uniform European AI governance system, will therefore play a key role in the implementation of the AI Act. Businesses should closely monitor the development of new rules to be rendered by the AI Office and actively participate in the debate on AI.
______________