Skip to content
Guidance · EDPB ·32024-on-data-protection-authorities-role-in-the EN LLM context A cited markdown file you can paste into your AI assistant (ChatGPT, Claude, a RAG or project knowledge base) to ground it in this document. Contains: this document’s text, its sections with their topics, and the full text of every law provision it applies. Everything links back to its source on overview.legal — legal information, not advice.

Statement 3/2024 on data protection authorities’ role in the Artificial Intelligence Act framework

Summary

Final 1 Statement 3/2024 on data protection authorities’ role in the Artificial Intelligence Act framework Adopted on 16 July 2024 The European Data Protection Board has adopted the following statement: 1 BACKGROUND AND PURPO SE OF THIS STATEMENT 1. On 12 July 2024, Regulation (EU) 2024/1689 laying down harmonised rules on a rtificial i ntelligence (Artificial Intelligence Act, hereinafter the “ AI Act ”) and amending certain Union Legislative Acts was published in the Official Journal 1 . 2.…

How it connects

Full text

Final 1 Statement 3/2024 on data protection authorities’ role in the Artificial Intelligence Act framework Adopted on 16 July 2024 The European Data Protection Board has adopted the following statement: 1 BACKGROUND AND PURPO SE OF THIS STATEMENT 1. On 12 July 2024, Regulation (EU) 2024/1689 laying down harmonised rules on a rtificial i ntelligence (Artificial Intelligence Act, hereinafter the “ AI Act ”) and amending certain Union Legislative Acts was published in the Official Journal 1 . 2. The AI Act lays down harmonised rules on the placement on the market, putting into service and use of A rtificial I ntelligence (hereinafter “AI”) in line with the New Legislative Framework and requires market surveillance within the meaning of Regulation (EU) 2019/1020 2 . A s stated in its Article 1(1), the AI Act aims to improve the functioning of the internal market and support innovation , whilst promot ing the uptake of human - centric and trustworthy AI and ensu ring health , safety and a high level of protection of the fundamental rights enshrined in the Chart er of Fundamental Rights of the European Union ( hereinafter the “ Charter ” ) , including as regards the fundamental rights to privacy and to the protection of personal data (respectively, Article 7 and 8 of the Charter). 1 Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) ( Text with EEA relevance ) , O J L, 2024/1689, 12.7.2024, ELI: http://data.europa.eu/eli/reg/2024/1689/oj . 2 Regulation (EU) 2019/1020 of the Europea n Parliament and of the Council of 20 June 2019 on market surveillance and compliance of products and amending Directive 2004/42/EC and Regulations (EC) No 765/2008 and (EU) No 305/2011 (Text with EEA relevance) . Final 2 3. From this perspective, the AI Act and the Union data protection legislation (notably, GDPR 3 , EUDPR 4 and LED 5 , as well as the ePrivacy Directive 6 ) need to be, in principle 7 , considered (and coh erently interpreted) as complementary and mutually reinforcing instruments. This must be done both in terms of the law’s goals and in terms of the protections provided, including the rights of the affected persons ( which may also be qualif ied as “ data subj ects ” under the GDPR). Further, it is important to underline that Union data protection law is fully applicable to the processing o f personal data involved in the lifecycle of the AI systems, as explicitly recognised in Article 2(7) AI Act (see also Recitals 9 and 10). 4. In fact, the processing of personal data ( which is often strictly intertwined with non - personal data) along the lifecycle of AI systems ‒ and particular ly along the lifecy c le of those AI systems presenting a high risk to fundamental rights 8 ‒ clearly is (and will continue to be) a core element of the various technologies covered under the umbrella of the AI definition, as enshrined in Article 3 (1) AI Act . For these reasons, national data protection authorities (hereinafter “ DPAs ”) hav e been active with regard to these technological developments 9 and the EDPB , which has closely followed the legislative process regarding the AI Act 10 , has already initiated the examination of its (multifaceted) interplay with EU data protection law. 5. W ith this statement , the EDPB would like to further highlight supervisi on and coordination issues that could result from the designation of competent authorities by the Member States 11 i n areas that are so closely linked to personal data protection matters. It sh ould be considered that, at the national level, the AI Act enforcement framework will have to be built in the next year after entry into force of the AI Act around one or more established or designated “national competent authorities” 3 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA r elevance), OJ L 119, 4.5.2016, p. 1 – 88. 4 Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offi ces and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (Text with EEA relevance), OJ L 295, 21.11.2018, p. 39 – 98. 5 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal pen alties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L 119, 4.5.2016, p. 89 – 131 . 6 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ L 201, 31.7.2002, p. 37 – 47. 7 More specifically, for remote biometric identification the AI Act is lex specialis vis - à - vis the LED (Art. 5(1)(h) AI Act ). 8 See in this regards the largest part of AI systems listed in Annex III of the AI Act . 9 It has materialised in the EU jurisdictions through position papers, public consultations, parliamentary hearings, guidelines , opinions related to data protection imp act assessments, investigations, corrective measures and (sometimes) sanctions. Furthermore, DPAs are also participating in various regulatory sandboxes. 10 See, in particular, EDPB - EDPS Joint Opinion 5/2021 on the p roposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) , 18 June 2021 (hereinafter “ EDPB - EDPS Joint Opinion 5/2021 ”); EDPB Statement on the Digital Service s Package and Data Strategy adopted on 18 November 2021. 11 See Recital 153 AI Act . Final 3 ( hereinafter “ NCAs ” ), in particular market surveillance authority/authorities ( hereinafter “ MSAs ” ) 12 , interacting both among them selves and with DPAs and other authorities protecting fundamental rights. 13 The EDPB recognises that some Member States have already decided on the appointment of MSAs and that, therefore, some of the recommendations in this statement may not be fully relevant in those case s . 6. As already stated in the Joint O pinion of the EDPB and the EDPS 14 , in this emerging enforcement framework , a prominent role of the DPAs at national level should be recognised, in particular due to the experience and expertise gathered by them in working out guidelines and best practices an d carrying out enforcement actions on AI - related issues with respect to the processing of personal data at both national and international level 15 . DPAs have proven and are proving to be indispensable actors in the chain leading to the safe, rights - oriented and secure deployment of AI systems across several sectors. 7. Moreover, it should be pointed out that the designation of DPAs as MSAs would benefit all stakeholders in the AI value chain by making available a single contact point, facilitating the interactions between different regulatory bodies that are concerned by both the AI Act and EU data protection law . 8. Furthermore , in the light of the AI Act , the EDPB considers the following points of particular importance: § DPAs, in addition to their existing expertise in AI technolog ies, are skilled in many of the areas referred to in Article 70(3) AI Act , such as data computing and data security, and in assessing risks to fundamental rights posed by new technologies; § DPAs, due to their full independence 16 , can provide effective independent supervision of AI systems, as required by Ar ticle 70(1) AI Act 17 ; § Pursuant Article 74(8) AI Act , DPAs ‒ or other author ities with same requirements on independence ( under the conditions laid down in Articles 41 to 44 of Directive (EU) 2016/680 ) ‒ must be designated as MSA s for high - risk AI systems listed in point 1 of Annex III AI Act, in so far they are used for law enforcement purposes, border management and justice and democracy , and for high - risk AI systems listed in points 6, 7 and 8 of Annex III AI Act , which are key elements of the democratic order; § From a system at ic perspective, it is also particularly valuable that where Union institutions, bodies, offices or agencies fall within the scope of the AI Act, the EDPS shall act as the competent authority for their supervision , as provided for by Article 70(9) AI Act 18 ; 12 See Article 3(48) AI Act . 13 See Article 77 and Recital 1 57 AI Act . 14 See, in particular points 47 ff. of the EDPB - EDPS Joint Opinion 5/2021 . 15 DPAs have been active for a long time and also cooperate on the different topics related to AI systems in different international fora (G7 Data Protection and Privacy Authorities Roundtable, Global Privacy Assembly - GPA, International Working Group on Da ta Protection in Technology, Council of Europe, international standards organisations, etc.) and, with their representatives, at the OECD. This integration is particularly important in the current context in which AI regulation is widely discussed at the g lobal level, notably regarding the development of standards. 16 See Article 8(3) of the Charter and Article 16(2) of the Treaty on the Functioning of the European Union (hereinafter “TFEU”) . 17 See also Recitals 79 and 80 AI Act . 18 S ee also Article s 3(48), 7 4(9) and 43 (1) AI Act. Final 4 § Moreover, in the light of the provisions contained in Articles 26(9), 27(4) and Annex VIII, Section C, point 5 AI Act , a close relationship is expected between the data protection imp act assessment and the fundamental right imp act assessment 19 . 2 RECOMMENDATIONS 9. The EDPB recommends that DPAs should be designated by Member States as MSAs for the high - risk AI systems mentioned in Article 74(8) AI Act . Further, the EDPB recommends that , taking account of the views of the national DPA, Mem ber States consider appointing DPAs as MSAs for the re maining high - risk AI systems as listed in Annex III, particularly where those high - risk AI systems are in sectors likely to imp act natural persons rights and freedoms with regard to the processing of pe rsonal data, unless those sectors are covered by a mandatory appointment required by the AI Act (e.g. the financial sector). 10. Considering the above, s ince the single point of contact under the AI Act should be a MSA as provided for by Article 70(2) AI Act , DPAs (acting as MSAs) should be designated as the single points of contact for the public and counterparts at Member State and Union levels . This would be without prejudice to the representatives of Member State to the European Artificial Intelligence Boa rd, which could be different, as indicated by A rticle 65(4)(b) AI Act . This would also en able a unified, consistent, and effective approach across the different sectors. 11. From a broader perspective, there is a need for sound cooperation between MSAs and the other entities which are tasked with the supervision of AI systems 20 , including DPAs, and clear procedures have to be provided for in this regard on the basis of A rticle 74(10) AI Act 21 . Such procedures should be built and developed under the principle o f sincere cooperation prov ided by the Article 4(3) of the T reaty of the E uropean U nion , as highlighted by the Court of Justice in the Bundeskartellamt case 22 . In this way , inconsistencies between decisions taken by different overs ight authorities and bodies can be prevented in the digital ecosystem, and synergies can be explo ited in coherent, effective and complementary enforcement actions for the benefit of individuals and legal certainty. 12. Whilst the attribution of new tasks and powers with regard to the s upervision of AI systems could be facilitated by the legal and technical skills already present in the DPAs, the very fact that new tasks and powers are envisaged for DPAs, including in their capacity as MSAs , entails the need for adequate additional human and financial resources to be provided by Member States. 13. The considerations made so far concerning the relationship between national DPAs and MSAs under the AI Act similarly apply to the supervisory activi ty carried out by the AI Office 23 on general - purpose AI models, which could be as well trained on personal data 24 and whose output can affect individuals’ privacy and data protection rights. In this regard, no clear coordination is currently established in t he AI Act between the AI Office and the DPAs/EDPB. 19 See Articles 26(9), 27(4) and Annex VIII, point 5 AI Act . 20 I n particular in the fields of product safety (e.g. in the case of smart toys, see also Annex I) , competition, digital and media services, financial services, consumer protection, and fundamental rights protection . 21 See also, with regard to the activity carried out within the regulatory sandboxes, A rticle 57(10) AI Act . 22 Judgment of the Court of Justice of 4 July 2023 , Meta Platforms and others (Conditions générales d’ utilisation d’un réseau social, C - 252/21, ECLI:EU:C:2023:537), in particular p aras 53 - 63. 23 The AI Office, referred to in Article 64 AI Act , has been established by Commission Decision of 24 January 2024 establishing the European Artificial Intelligence Of fice, C/2024/390, OJ C, C/2024/1459, 14.2.2024. 24 See also Annex XI, Section 1 (1)(e ) and (2)(c) of the AI Act . Final 5 14. The EDPB underlines that whenever a general - purpose AI model or system e ntails the processing of personal data, it may fall – like any other AI system – under the supervisory remit, as applicable , of the relevant national DPAs (also cooperating according to Chapter VII of the GDPR) and of the EDPS (when it falls under the EUDPR). Therefore, national DPAs and the EDPS cannot but be properly involved where questions arise as to matters falling within the scope of Union data protection law in the supervision of those systems . This is necessary to comply with Article 8 of the Charter and Article 16 of the TFEU, including as regards the process of assessment of the codes of practice mentioned in Article 56 A I Act . 15. Accordingly, the EDPB calls the attention of the European Commission and the EU AI Office which is part of it to the need to cooperate with the national DPAs and the EDPB , and the need to establish, in agreement with them, the appropriate mutual cooperation 25 in the most effective way and in full compliance with the principle of sincere cooperation as recalled by the Court of Justice 26 . For the European Data Protection Board The Chair (Anu Talus) 25 Also in light of A rticles 2(3)(c) and (d), Articles 3 and 6 of the Commission Decision of 24 January 2024 establishing the European Artificial Intelligence Office , C/2024/1459 . 26 See footnote 22 of this Statement.

Similar Content