AI Corrective Powers
This new topic is needed to specifically address the corrective and intervention powers that authorities possess to protect fundamental rights, including emergency measures, system suspensions, and market restrictions that go beyond standard inspection and monitoring activities.
authority intervention corrective powers system suspension market ban prohibition authority emergency measures interim measures protective orders
Overview
Legal Framework
The corrective powers of AI market surveillance authorities are governed by Article 74 of the AI Act. This article provides authorities with a suite of enforcement powers beyond standard inspections. Crucially, these include the power to order the bringing of non-compliant high-risk AI systems into conformity, to restrict or prohibit their placing on the market or putting into service, and to order their withdrawal or recall. For systems in the areas of biometrics, law enforcement, migration, asylum, border control, and democratic processes—as referenced in Recital 159—authorities must have the specific power to access all processed personal data and information necessary for their audits.
Practical Application
The legal framework establishes a graduated enforcement model. Authorities are expected to exercise these powers proportionately, potentially starting with corrective orders before moving to market restrictions or suspensions. The rationale, as supported by the principle from case law like Data Protection Commissioner v. Facebook Ireland Ltd, and Maximillian Schrems, is that supervisory authorities must have effective tools to ensure compliance with EU rules. The authority's intervention is not merely investigative; it is corrective and can directly halt an AI system's operation to prevent harm to fundamental rights. The binding decision-making process for the European Data Protection Board (EDPB) under Article 70 GDPR, which requires a two-thirds majority in certain cases and is subject to judicial review, serves as an analogous procedural model for how such significant corrective powers should be exercised within a structured, accountable framework.
Key Considerations
- Prepare for Escalating Intervention: Organizations deploying high-risk AI systems, particularly in sensitive domains, must have internal processes to respond swiftly to formal corrective orders (e.g., to modify a system) to avoid more severe measures like market prohibition.
- Ensure Full Audit Trail Access: For systems falling under the scope of Recital 159, ensure all personal data processing and technical documentation can be provided to authorities immediately upon request, as this is a foundational investigative and corrective power.
- Monitor for Emergency Measures: Be aware that authorities can invoke urgent procedures. A system's non-compliance that poses an immediate risk to health, safety, or fundamental rights can trigger rapid suspension orders without the full duration of a standard procedure.
Laws (13)
Case Law (6)
Deutsche Wohnen SE v Staatsanwaltschaft Berlin
C-807/21 (Deutsche Wohnen)
Fines can be imposed directly on legal persons without identifying responsible natural person.
Meta Platforms v noyb
C-252/21 (Meta Platforms (noyb))
GDPR consent requirements and lead supervisory authority mechanism.
Data Protection Commissioner v. Facebook Ireland Ltd, and Maximillian Schrems
Schrems II
“the national supervisory authorities are responsible for monitoring compliance with the EU rules concerning the protection of natural persons with regard to the processing of personal data. Each of those authorities is therefore vested with the power to check whether a transfer of personal data from its own Member State to a third country complies with the requirements laid down in that regulation” / “The exercise of that responsibility is of particular importance where personal data is tra
HvJ EU: Privacy Shield ongeldig verklaard (Schrems II)
Het Hof van Justitie verklaart het Privacy Shield-akkoord ongeldig wegens onvoldoende waarborgen voor Europese burgers tegen toegang door Amerikaanse inlichtingendiensten.
Data Protection Commissioner v Facebook Ireland and Maximillian Schrems
C-311/18 (Schrems II)
Invalidated Privacy Shield adequacy decision and upheld validity of Standard Contractual Clauses with additional safeguards required.
Google LLC v CNIL
C-507/17 (Google Territorial Scope)
Right to delisting does not require global de-referencing under EU law.
Guidance (14)
Richtsnoeren 10/2020 met betrekking tot de beperkingen krachtens artikel 23 AVG
guidelines beperkingen rechten van betrokkenen
Richtsnoeren van 1/2018 voor certificering en het vaststellen van certificeringscriteria overeenkomstig de artikelen 42 en 43 van de verordening
guidelines certificering
Guidelines 01/2021
Guidelines on Examples regarding Personal Data Breach Notification
Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0 Adopted on 20 October 2020
Guidelines on data protection by design and by default
Guidelines 01/2022 on data subject rights - Right of access
Guidelines on data subject rights - Right of access
The right of access of data subjects is enshrined in Art. 8 of the EU Charter of Fundamental Rights. It has been a part of the European data protection legal framework since its beginning and is now further developed by more specified and precise rules in Art. 15 GDPR.
Richtsnoeren 01/2022 over de rechten van betrokkenen Recht van inzage
guidelines recht op inzage
Het recht van inzage van betrokkenen is vastgelegd in artikel 8 van het Handvest van de grondrechten van de Europese Unie. Het maakt al sinds het begin deel uit van het Europese wettelijke kader voor gegevensbescherming en wordt nu verder ontwikkeld met specifiekere, preciezere regels in artikel 15 AVG.
Guidelines 10/2020 on restrictions under Article 23 GDPR
Guidelines on restrictions under Article 23 GDPR
Guidelines 02/2022 on the application of Article 60 GDPR
Guidelines on the application of Article 60 GDPR
With the introduction of the GDPR, the concept of the one-stop shop was established as one of the main innovations. In cross-border processing cases, the supervisory authority in the Member State of the controller's or processor's main establishment is the authority leading the enforcement of the GDPR for the respective cross-border processing activities, in cooperation with all the authorities which may face the effects of the processing activities at stake: be it through the establishments ...
Guidelines 06/2022 on the practical implementation of amicable settlements
Guidelines on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects
Guidelines 03/2022 on Deceptive design patterns in social media platform interfaces: how to recognise and avoid them
Guidelines on deceptive design patterns in social media platform interfaces: how to recognise and avoid them
These Guidelines offer practical recommendations to social media providers as controllers of social media, designers and users of social media platforms on how to assess and avoid so-called 'deceptive design patterns' in social media interfaces that infringe on GDPR requirements. To this end, the EDPB recommends that controllers make use of interdisciplinary teams, consisting, among others, of designers, data protection officers and decision-makers. It is important to note ...
Versiegeschiedenis
Richtsnoeren 01/2021
Guidelines 07/2022 on certification as a tool for transfers
Guidelines on certification and identifying certification criteria
The GDPR requires in its Article 46 that data exporters shall put in place appropriate safeguards for transfers of personal data to third countries or international organisations. To that end, the GDPR diversifies the appropriate safeguards that may be used by data exporters under Article 46 for framing transfers to third countries by introducing, amongst others, certification as a new transfer mechanism (Articles 42 (2) and 46 (2) (f) GDPR). These guidelines provide guidance as to the applicati...
Richtsnoeren 02/2022 voor de toepassing van artikel 60 AVG
guidelines voor de toepassing van artikel 60 AVG
Een van de belangrijkste innovaties bij de invoering van de AVG was de introductie van het concept 'één-loketmechanisme'. In gevallen van grensoverschrijdende verwerking is de toezichthoudende autoriteit in de lidstaat van de hoofdvestiging van de verwerkingsverantwoordelijke of verwerker de autoriteit die leidinggeeft aan de handhaving van de AVG met betrekking tot de grensoverschrijdende verwerkingsactiviteiten in kwestie. Daarbij wordt samengewerkt met alle autoriteiten die de gevolge...