AI Investigative Powers

This new topic is needed to specifically address the investigative and information-gathering powers of competent authorities under the AI Act, which is distinct from general cooperation obligations and encompasses the procedural mechanisms for requesting and obtaining documentation.

investigative powers information gathering documentation requests authority powers regulatory investigation information access investigative procedures authority authority

Overview

Legal Framework

The investigative powers of competent authorities are governed by AI Act Recital 159 and supported by the principle of cooperation in DSA Recital 127. Recital 159 mandates that market surveillance authorities for high-risk AI systems in specified sensitive areas (e.g., law enforcement, migration) must possess effective investigative and corrective powers. This includes, at a minimum, the power to access all personal data processed by these AI systems. Recital 127 DSA underscores the necessity for a high level of cross-border cooperation and information exchange to enable consistent enforcement.

Practical Application

These recitals establish a framework where authorities have broad access powers for monitoring compliance. The case law, such as Weltimmo, clarifies the territorial scope of an authority's investigative powers: a national authority may initiate an investigation based on a complaint within its own territory, even before determining the applicable national law. This principle supports the AI Act's approach, allowing authorities to investigate potential non-compliance with AI system requirements proactively. The powers are designed to be effective, meaning authorities can request and obtain necessary documentation and data to assess an AI system's conformity.

Key Considerations

  • Documentation Access: Deployers and providers of high-risk AI systems in the sensitive areas listed must be prepared to provide authorities with access to all relevant documentation, training data, and logs upon request, as part of a compliance investigation.
  • Cross-Border Cooperation: Organizations operating across multiple EU Member States should anticipate that an investigation initiated by one national authority may involve coordinated information sharing with other competent authorities under the DSA and AI Act cooperation frameworks.
  • Proactive Compliance: Given the authority's power to investigate based on a complaint within its territory (as seen in Weltimmo), maintaining transparent and readily available technical documentation is critical for a swift and cooperative response to any inquiry.
Newest Relevant

Laws (6)

Recital 159

Jul 12, 2024 AI Act

Recital 127

Oct 27, 2022 DSA

Recital 130

Oct 27, 2022 DSA

Recital 141

Oct 27, 2022 DSA

Recital 139

Oct 27, 2022 DSA

Recital 129

Apr 27, 2016 GDPR

Case Law (18)

ECLI:NL:RBMNE:2025:6404 Rechtbank Midden-Nederland , 26-11-2025 / UTR 24/5992-T

Rechtbank Midden-Nederland

Tussenuitspraak; MK; Woo-verzoek informatie over afhandeling van een klacht over de zorg in een zorgcentrum in Woerden. De rechtbank oordeelt dat de minister onvoldoende heeft gemotiveerd dat de zoekslag deugdelijk is verricht. Niet valt uit te sluiten dat er mogelijk meer Woo-documenten bij de minister aanwezig zijn dan het ‘6cm-dossier’ dat aan eiseres is verstrekt. De minister wordt opgedragen de gebreken te herstellen door op een aantal punten een deugdelijke nadere motivering en uitleg te geven. De minister moet daarbij ook de uitlatingen en e-mails van de woordvoerder en de Woo-behandelaar betrekken.

Nov 26, 2025 Rechtbank Midden-Nederland

FSV

Rechtbank

Beroep ongegrond, passeren motiveringsgebrek met artikel 6:22 Awb, proceskostenveroordeling. Overschrijding redelijke termijn artikel 6 EVRM, schadevergoeding

Sep 23, 2025 Rechtbank

IVR registratie mag blijven bestaan

Rechtbank

Opzegging bankrelatie vanwege onvoldoende meewerken aan klantonderzoek

May 19, 2025 Rechtbank

Beroep ongegrond. AVG. De zoekslag is inzichtelijk en navolgbaar. Verweerder hoefde geen schermafdrukken van de...

Rechtbank

Beroep ongegrond. AVG. De zoekslag is inzichtelijk en navolgbaar. Verweerder hoefde geen schermafdrukken van de zoekslag te verstrekken.

Feb 12, 2025 Rechtbank

AVG en verzoek om schadevergoeding.

Rechtbank

AVG en verzoek om schadevergoeding. Eiseres heeft bij het college meerdere informatieverzoeken ingediend, waarvan één op grond van de AVG. Reacties op het AVG-verzoek zijn besluiten, reacties op andere informatieverzoeken/vragen zijn geen besluiten. Eiseres is van mening dat het college onvoldoende zorgvuldig onderzoek heeft gedaan. De rechtbank deelt het standpunt van eiseres niet en verklaart het beroep ongegrond. Eiseres heeft bij de rechtbank ook een verzoek om schadevergoeding ingediend vanwege de onrechtmatige raadpleging van haar persoonsgegevens. De rechtbank stelt vast dat weliswaar sprake is van een onrechtmatige raadpleging van persoonsgegevens, maar dat de schade niet is onderbouwd. Het verzoek om schadevergoeding wordt daarom afgewezen.

Jan 21, 2025 Rechtbank

Meta Platforms v noyb

C-252/21 (Meta Platforms (noyb))

GDPR consent requirements and lead supervisory authority mechanism.

Jan 12, 2023 CJEU

Data Protection Commissioner v. Facebook Ireland Ltd, and Maximillian Schrems

Schrems II

“the national supervisory authorities are responsible for monitoring compliance with the EU rules concerning the protection of natural persons with regard to the processing of personal data. Each of those authorities is therefore vested with the power to check whether a transfer of personal data from its own Member State to a third country complies with the requirements laid down in that regulation” / “The exercise of that responsibility is of particular importance where personal data is tra

Jul 16, 2020 CJEU

HvJ EU: Privacy Shield ongeldig verklaard (Schrems II)

Het Hof van Justitie verklaart het Privacy Shield-akkoord ongeldig wegens onvoldoende waarborgen voor Europese burgers tegen toegang door Amerikaanse inlichtingendiensten.

Jul 16, 2020 Hof van Justitie EU

Data Protection Commissioner v Facebook Ireland and Maximillian Schrems

C-311/18 (Schrems II)

Invalidated Privacy Shield adequacy decision and upheld validity of Standard Contractual Clauses with additional safeguards required.

Jul 16, 2020 CJEU

GC and Others v CNIL

C-136/17 (GC and Others)

Conditions for delisting sensitive data from search results.

Sep 24, 2019 CJEU

Google LLC v CNIL

C-507/17 (Google Territorial Scope)

Right to delisting does not require global de-referencing under EU law.

Sep 24, 2019 CJEU

Unabhängiges Landeszentrum für Datenschutz v Wirtschaftsakademie Schleswig-Holstein

C-210/16 (Wirtschaftsakademie)

Facebook fan page administrators are joint controllers with Facebook.

Jun 5, 2018 CJEU

Peter Nowak v Data Protection Commissioner

C-434/16 (Nowak)

Examination scripts constitute personal data of the candidate.

Dec 20, 2017 CJEU

Maximillian Schrems v Data Protection Commissioner

C-362/14 (Schrems I)

Invalidated Safe Harbor adequacy decision. National supervisory authorities can examine adequacy decisions.

Oct 6, 2015 CJEU

Data Protection Commissioner v. Schrems and Facebook

Schrems I

Independence of DPA: The Directive seeks to ensure an effective, complete, and high level of protection of the fundamental rights and freedoms of natural persons. The guarantee of a DPA’s independence is intended to ensure effectiveness and reliability of the monitoring of compliance, and is an essential component of data protection. DPAs powers extend to their own Member State, but not to processing in third countries. However, DPAs are responsible for monitoring transfers from a Member State t

Oct 6, 2015 CJEU

WELTIMMO S.R.O. V. NEMZETI A DATVEDELMI ES INFORMACIOSZABADSAGH ATOSAG (HUNGARIAN DPA), 1.10.15 (“WELTIMMO”)

Weltimmo

Data protection authorities powers and cooperation: In the event that the Hungarian DPA should consider that Weltimmo has an establishment not in Hungary, but in another Member State, it may exercise its powers only within its own territory, and it may, irrespective of the applicable law and before even knowing which national law is applicable, thereby investigate the complaint. If it becomes apparent that it is the law of another Member State that applies, that DPA cannot impose penalties outsi

Oct 1, 2015 CJEU

Google Spain SL and Google Inc. v AEPD and Mario Costeja González

C-131/12 (Google Spain)

Established the right to be forgotten (delisting). Search engines are data controllers.

May 13, 2014 CJEU

VOLKER UND MARKUS SCHECKE GBR V. LAND HESSEN, EIFERT V. LAND HESSEN AND BUNDESANSTALT FUR LANDWIRTSCHAFT UND ERNAHRUNG, 9.Nov.2010 (“SCHECKE”)

Schecke

Purpose for processing: The legislation at issue does base the processing on consent. Rather, it provides that they are to be informed. Thus, processing is not based on their consent. (¶ 54)

Nov 9, 2010 CJEU

Guidance (2)

Guidelines 10/2020 on restrictions under Article 23 GDPR

Guidelines on restrictions under Article 23 GDPR

Nov 21, 2025 EDPB

Richtsnoeren 10/2020 met betrekking tot de beperkingen krachtens artikel 23 AVG

guidelines beperkingen rechten van betrokkenen

Nov 21, 2025 EDPB

News (1)

Migrant smuggling laws: European Commission found in breach of transparency rules

The European Ombudsman has found that the Commission disregarded important transparency rules while preparing the Europol Regulation, which is a part of the legislation to "counter migrant smuggling". The inquiry concluded that the Commission didn't provide enough evidence to justify the claims of "urgency" to bypass their own 'Better Regulation' rules, and skipping public consultations, thorough impact assessments and evidence gathering. The post Migrant smuggling laws: European Commission foun

Dec 11, 2025 European Digital Rights