The use of AI offers companies numerous opportunities and possibilities for process optimisation and the development of new business models. However, its use also brings with it legal and ethical requirements, particularly in the area of data protection.
The „Regulation on Artificial Intelligence (AI Act)“ was officially published in the Official Journal of the European Union on 12 July 2024 and will enter into force 20 days later on 1 August 2024.
The following transition periods apply until entry into force:
- 6 months: From 02 February 2025, the regulations on prohibited AI systems will already apply. In addition, there is an extensive training obligation for employees who handle AI systems.
- 12 months: from 2 August 2026, the regulations on AI models for general purposes and the regulations on authorities, governance and sanctions will apply
- 36 months: from 2 August 2027, the regulations for so-called „integrated high-risk AI systems“, which are installed as components in e.g. devices, vehicles or machines explicitly referred to in ANNEX I, apply.
- 24 months (basic rule): from 02 August 2026, all other provisions of the AI Regulation apply.
EU’s regulatory objectives
A central element of the EU’s regulatory objectives in the area of data management and artificial intelligence is the General Data Protection Regulation. The scope of the General Data Protection Regulation extends to personal data. Anonymous data is not covered. The identification of a natural person can result from a single piece of information itself. Identifiability also exists if the information (e.g. a technical identifier, a quotation) can be assigned in conjunction with other information available about this person.
A major challenge for AI in the context of anonymisation is that AI has a great deal of „background knowledge“ from which it can draw conclusions that lead to identifiability. Another problem lies in „prompt engineering“, whereby the AI (especially in the case of free text entries) could be deliberately induced by the user to carry out anonymisation that is not actually intended or to give the user the opportunity to enter additional background knowledge that leads to identifiability.
Principles of data protection
The principles of data protection in the processing of personal data must be guaranteed (Art. 5 GDPR): Lawfulness, fairness of processing, transparency, purpose limitation, data minimisation, accuracy, storage limitation as well as integrity and confidentiality.
Controllers must not only ensure that they comply with the requirements of the GDPR but must also be able to prove this. Suitable technical and organisational measures must be implemented to ensure the security and protection of personal data. (Accountability)
The permissibility of using training data is a priority for many companies. For example, internal guidelines and processes should be established for monitoring, including compliance with copyright regulations.
Liability for AI-generated content is also an important aspect.
Regulation (EU) 2024/1689 of the European Parliament and of the Council – Artificial Intelligence Act: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202401689
Deutsche Übersetzung: https://www.adorgasolutions.de/datenschutz-verordnung-ueber-kuenstliche-intelligenz-ki-vo-tritt-in-kraft/
Do you have any questions on this and other topics? We are of course at your disposal – by e-mail consulting@adorgasolutions.de or by telephone on 0173 8198864.