AI Accuracy Requirements
Accuracy is a critical AI Act requirement deserving dedicated topic coverage for measurement, validation, monitoring, and maintenance of AI system performance standards.
accuracy accuracy metrics performance metrics error rates precision recall F1-score accuracy testing
Overview
Legal Framework
The accuracy requirement for AI systems is established by the EU AI Act, specifically Recital 74. This recital mandates that high-risk AI systems must perform consistently throughout their lifecycle and meet an appropriate level of accuracy, robustness, and cybersecurity. The required level of performance is not a fixed standard but is assessed in light of the system's intended purpose and the generally acknowledged state of the art. This legal framework obliges providers to define and declare the expected level of performance using measurable metrics, which must be documented in the system's accompanying technical documentation.
Practical Application
The requirement for "appropriate" accuracy is purpose-driven and contextual. As emphasized in Recital 122, compliance with data governance requirements—a foundation for accuracy—is presumed when an AI system is trained and tested on data reflecting its specific intended operational setting, including geographical, behavioural, and functional contexts. This principle discourages the use of generic, non-representative datasets. While case law on AI-specific accuracy is nascent, established data protection principles provide guidance. The Minister v. M ruling underscores that data subjects must be able to check the accuracy of data processed about them, a right that logically extends to outputs from AI systems processing personal data. Furthermore, the WORTEN case reinforces that any data processing, including that which trains or feeds an AI system, must be necessary and proportionate to its stated purpose, which directly informs the scope and benchmarks for required accuracy.
Key Considerations
- Define and Document Context-Specific Metrics: Organizations must explicitly define quantifiable accuracy metrics (e.g., precision, recall, error rates) that are appropriate for the AI system's specific intended use and documented operational environment.
- Implement Lifecycle Monitoring: Accuracy is not a one-time validation. Providers must establish procedures for continuous post-market monitoring to ensure performance remains consistent and appropriate as the system operates in the real world and as the state of the art evolves.
- Validate Data Representativeness: To leverage the compliance presumption under Recital 122, rigorously document how your training, validation, and testing data reflect the actual geographical, behavioural, and contextual setting where the high-risk AI system will be deployed.
Laws (18)
Case Law (8)
UNABHäNGIGES LANDESZENTRUM FüR DATENSCHUTZ SCHLESWIG-HOLSTEIN v. WIRTSCHAFTSAKADEMIE SCHLESWIG-HOLDSTEIN GmbH
Wirtschaftsakademie
Territorial Scope / Concept of “establishment”: Facebook Germany is responsible for promoting and selling advertising space and carries on activities addressed to persons residing in Germany. Given that a social network such as Facebook generates a substantial part of its income from advertisements posted on the web pages set up and accessed by users, and given that Facebook’s establishment in Germany is intended to ensure the promotion and sale in Germany of advertising space that makes Faceboo
Peter Puškár v Finančné riaditeľstvo Slovenskej republiky and Kriminálny úrad finančnej správy
Puškár
Lawful basis (in general): Subject to the exceptions permitted under Article 13 of the Data Protection Directive, all processing of personal data must comply, first, with the principles relating to data quality (in Article 6 of that directive) and, have lawful basis (by complying with one criteria for making data processing legitimate listed in Article 7 of that directive) (see, Bara). The list of lawful basis in Article 7 is an exhaustive and restrictive list of cases in which the processing of
MINISTER VOOR IMMIGRATIE V. M, 17.7.2014 (“Minister v. M”)
Minister v. M
Right to access: The right of access is a per-requisite to obtain rectification, erasure or blocking of personal data (¶¶ 44-46). To comply with the right of access it is sufficient for the applicant to be provided with a full summary of those data in an intelligible form, that is, a form which allows him to become aware of those data and to check that they are accurate and processed in compliance with the Directive. He need not be given a copy of the documents. (¶¶ 59-60)
SCHWARZ V. BOCHUM, 17.10.2014 (“SCHWARZ”)
Schwarz
Personal data: Fingerprints constitute personal data, as they objectively contain unique information about individuals which allows them to be identified with precision. (¶ 27)
WORTEN-EQUIPAMENTOS PARA O LAR SA V. ACT (AUTHORITY FOR WORKING CONDITIONS), 30.5.2013 (“WORTEN”)
Worten
Security: Data protection law requires controllers (not Member States) to adopt technical and organizational measures which, having regard to the state of the art and cost of their implementation, are to ensure a level of security appropriate to the risks represented. Controller must ensure that only those persons duly authorized have access. (¶¶ 24–25, 28–29)
WORTEN-EQUIPAMENTOS PARA O LAR SA V. ACT (AUTHORITY FOR WORKING CONDITIONS), 30.5.2013 (“WORTEN”)
Worten
Necessity/proportionality: Collection and processing of personal data contained in the record of working time to ensure compliance with national legislation relating to working conditions is lawful if it is necessary for compliance with a legal obligation to which the controller is subject. Access should be grated only to authorities having powers of monitoring compliance with legal requirements. An obligation to provide immediate access to the record could be necessary if it contributes to the
VOLKER UND MARKUS SCHECKE GBR V. LAND HESSEN, EIFERT V. LAND HESSEN AND BUNDESANSTALT FUR LANDWIRTSCHAFT UND ERNAHRUNG, 9.Nov.2010 (“SCHECKE”)
Schecke
Personal Data: Legal persons can claim protection under EU data protection law only insofar as the official title of the legal person identifies one or more natural persons. It is of no relevance in this respect that the data published concerns activities of a professional nature (see also Rechunungshof, paragraphs 73 and 74)
VOLKER UND MARKUS SCHECKE GBR V. LAND HESSEN, EIFERT V. LAND HESSEN AND BUNDESANSTALT FUR LANDWIRTSCHAFT UND ERNAHRUNG, 9.Nov.2010 (“SCHECKE”)
Schecke
Interference with the fundamental rights of privacy and data protection: Chapter of Fundamental Rights (CFR) Article 52(1) accepts that limitations may be imposed on fundamental rights, as long as they are provided by law, respect the essence of those rights and are proportionate (necessary and genuinely meet objectives of general interest recognized by the EU or the need to protect the rights and freedoms of others.) The CJEU concluded that by imposing an obligation to publish personal data rel
Guidance (39)
View all 39Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0 Adopted on 20 October 2020
Guidelines on data protection by design and by default
Guidelines 03/2022 on Deceptive design patterns in social media platform interfaces: how to recognise and avoid them
Guidelines on deceptive design patterns in social media platform interfaces: how to recognise and avoid them
These Guidelines offer practical recommendations to social media providers as controllers of social media, designers and users of social media platforms on how to assess and avoid so-called 'deceptive design patterns' in social media interfaces that infringe on GDPR requirements. To this end, the EDPB recommends that controllers make use of interdisciplinary teams, consisting, among others, of designers, data protection officers and decision-makers. It is important to note ...
Guidelines 09/2020 on relevant and reasoned objection under Regulation 2016/679
Guidelines on relevant and reasoned objection under Regulation 2016/679
Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive
Guidelines on technical scope of art. 5(3) of ePrivacy Directive
Versiegeschiedenis
guidelines doorgifte van persoonsgegevens tussen overheidsinstanties en -organen binnen en buiten de EER
Richtsnoeren 05/2022 voor het gebruik van gezichtsherkenningstechnologie in het kader van rechtshandhaving
guidelines gebruik gezichtsherkenning bij rechtshandhaving
Steeds meer rechtshandhavingsinstanties passen gezichtsherkenningstechnologie toe of zijn voornemens deze toe te passen. De technologie kan worden gebruikt om een persoon te authenticeren of te identificeren en kan voor video's (bijv. CCTV) of foto's worden ingezet, maar ook voor andere doeleinden, waaronder het opzoeken van personen op signaleringslijsten van de politie of het volgen van de bewegingen van een persoon in de openbare ruimte. Gezichtsherkenningstechnologie is gebaseer...
Guidelines 07/2022 on certification as a tool for transfers
Guidelines on certification and identifying certification criteria
The GDPR requires in its Article 46 that data exporters shall put in place appropriate safeguards for transfers of personal data to third countries or international organisations. To that end, the GDPR diversifies the appropriate safeguards that may be used by data exporters under Article 46 for framing transfers to third countries by introducing, amongst others, certification as a new transfer mechanism (Articles 42 (2) and 46 (2) (f) GDPR). These guidelines provide guidance as to the applicati...
Richtsnoeren 01/2022 over de rechten van betrokkenen Recht van inzage
guidelines recht op inzage
Het recht van inzage van betrokkenen is vastgelegd in artikel 8 van het Handvest van de grondrechten van de Europese Unie. Het maakt al sinds het begin deel uit van het Europese wettelijke kader voor gegevensbescherming en wordt nu verder ontwikkeld met specifiekere, preciezere regels in artikel 15 AVG.
Guidelines 02/2024 on Article 48 GDPR
Article 48 GDPR provides that: ' Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer...
Guidelines 01/2021
Guidelines on Examples regarding Personal Data Breach Notification
ARTICLE 29 DATA PROTECTION WORKING PARTY
Guidelines on transparency
Guidelines 02/2021 on virtual voice assistants
Guidelines on virtual voice assistants
A virtual voice assistant (VVA) is a service that understands voice commands and executes them or mediates with other IT systems if needed. VVAs are currently available on most smartphones and tablets, traditional computers, and, in the latest years, even standalone devices like smart speakers. VVAs act as interface between users and their computing devices and online services such as search engines or online shops. Due to their role, VVAs have access to a huge amount of personal...
Richtsnoeren 01/2020 inzake de verwerking van persoonsgegevens in het kader van verbonden voertuigen en mobiliteitsgerelateerde toepassingen
guidelines connected vehicles
Guidelines 9/2022 on personal data breach notification under GDPR
Guidelines on personal data breach notification under GDPR
Version history
Guidelines on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR
The GDPR does not provide for a legal definition of the notion 'transfer of personal data to a third country or to an international organisation'. Therefore, the EDPB provides these guidelines to clarify the scenarios to which it considers that the requirements of Chapter V should be applied and, to that end, it has identified three cumulative criteria to qualify a processing operation as a transfer: - 1) A controller or a processor ('exporter') is subject to the GDPR for the given processing. -...
Guidelines 02/2022 on the application of Article 60 GDPR
Guidelines on the application of Article 60 GDPR
With the introduction of the GDPR, the concept of the one-stop shop was established as one of the main innovations. In cross-border processing cases, the supervisory authority in the Member State of the controller's or processor's main establishment is the authority leading the enforcement of the GDPR for the respective cross-border processing activities, in cooperation with all the authorities which may face the effects of the processing activities at stake: be it through the establishments ...
Guidelines 04/2022 on the calculation of administrative fines under the GDPR
Guidelines on the calculation of administrative fines under the GDPR
The European Data Protection Board (EDPB) has adopted these guidelines to harmonise the methodology supervisory authorities use when calculating of the amount of the fine. These Guidelines complement the previously adopted Guidelines on the application and setting of administrative fines for the purpose of the Regulation 2016/679 (WP253), which focus on the circumstances in which to impose a fine. The calculation of the amount of the fine is at the discretion of the supervisory authority, ...
Guidelines 07/2020 on the concepts of controller and processor in the GDPR
Guidelines on the concepts of controller and processor in the GDPR
The concepts of controller, joint controller and processor play a crucial role in the application of the General Data Protection Regulation 2016/679 (GDPR), since they determine who shall be responsible for compliance with different data protection rules, and how data subjects can exercise their rights in practice. The precise meaning of these concepts and the criteria for their correct interpretation must be sufficiently clear and consistent throughout the European Economic Area (EEA). The conc...
Guidelines 06/2022 on the practical implementation of amicable settlements
Guidelines on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects
Guidelines 8/2020 on the targeting of social media users
Guidelines on the targeting of social media users
News (7)
Article 40 GDPR
(3) Controllers and Processors not Subject to the Territorial Scope of the GDPR The focus on a particular sector is supposed to allow for a cost effective way to achieve data protection compliance by taking into account all the specific characteristics of processing carried out in that sector - with particular emphasis on the needs of micro, small and medium enterprises.<ref>EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version
Dirkzwager: ABRvS geeft uitleg aan het AVG-begrip "de instelling, uitoefening of onderbouwing van een rechtsvordering"
> Privacybescherming is niet absoluut. Dat staat zelfs letterlijk zo in de privacywetgeving. De AVG bevat daarom ook allerlei uitzonderingen. Een van de uitzonderingen die enkele keren terugkomt in de AVG ziet op de verwerking van persoonsgegevens in het kader van "de instelling, uitoefening of onderbouwing van een rechtsvordering". Tot op heden was echter niet heel erg duidelijk wat die woorden nu precies betekenen. Een recente uitspraak van de Afdeling bestuursrechtspraak van de Raad van State
What Happened to the Risk-Based Approach to Data Transfers?
The GDPR incorporates the RBA for all obligations of the controller in the GDPR. Where the transfer rules are stated as obligations of the controller (rather than as absolute principles), the RBA of Article 24 therefore applies. Other than the DPAs assume, this is not contradicted by the ECJ in Schrems II nor by the EDPB recommendations on additional measures following the Schrems II judgment, according to Lokke Moerel, Professor of Global ICT Law at Tilburg University and a Dutch Cyber Security
EU-Hof: gegevens waaruit indirect de seksuele geaardheid van een persoon kan worden afgeleid vormen gevoelige gegevens in de zin van de AVG
The processing of personal data that may indirectly reveal sensitive information about an individual, such as information about their sexual orientation, may qualify as processing of "special categories of personal data" within the meaning of the AVG. The processing of such sensitive data is prohibited in principle. This is the EU Court's answer to questions from a Lithuanian judge.
Who Is Collecting Data from Your Car?Who Is Collecting Data from Your Car?
> A firehose of sensitive data from your vehicle is flowing to a group of companies you’ve probably never heard of
European Commission sued for violating transfer rules by using Amazon Web Services
The European Commission faces a lawsuit over allegations it is violating its own data protection rules by transferring citizens’ personal data on one of its websites to Amazon Web Services in the United States.
EU-Hof: consumentenbeschermings-verenigingen mogen representatieve vorderingen instellen tegen inbreuken op de bescherming van persoonsgegevens
An association representing consumer interests may bring a representative action against the alleged perpetrator of a personal data breach. A specific breach of a data subject's right to the protection of his or her personal data is not required to bring such a claim. In addition, such a claim can be brought independently of whether a data subject has given an order to do so. This is the EU Court's answer to questions from a German court.