GPAI Enforcement
This new topic is needed because the content specifically addresses the enforcement of GPAI provider obligations, which requires dedicated procedures and mechanisms distinct from general AI system enforcement.
GPAI enforcement provider enforcement enforcement procedures enforcement mechanisms compliance enforcement GPAI provider compliance enforcement actions enforcement timeline
Overview
Legal Framework
Recital 34 AI Act establishes the necessity of a proportionate and responsible use framework for high-risk AI systems, requiring that specific elements—such as the nature of the situation and consequences for rights and freedoms—are considered in exhaustively listed situations. Recital 35 AI Act specifically governs enforcement for law enforcement's use of 'real-time' remote biometric identification (RBI) in public spaces, mandating that each deployment requires prior, express, and specific authorization from a judicial or binding independent administrative authority, with exceptions permitted only in duly justified situations.
Practical Application
The recitals frame a tiered enforcement approach. For general high-risk AI, enforcement is principle-based, requiring documented assessments of proportionality and impact. For law enforcement's real-time RBI, enforcement is procedural and pre-emptive; the authorization requirement acts as a mandatory compliance gate. The "duly justified" exception for prior authorization is narrowly construed, implying that ex-post validation requires demonstrating an urgent, compelling threat. National competent authorities will enforce these requirements by verifying the existence and validity of the required judicial or administrative authorization for each specific use.
Key Considerations
- Distinct Authorization Tracks: Providers and deployers must separate compliance procedures: a risk-based governance process for general high-risk AI versus securing a specific, legally-binding authorization for each law enforcement RBI operation.
- Document the Exception: If prior authorization for RBI use is not obtained, the deploying law enforcement body must create and retain a robust, contemporaneous record detailing the facts constituting the "duly justified situation" to withstand regulatory scrutiny.
Laws (5)
Guidance (9)
ARTICLE 29 DATA PROTECTION WORKING PARTY
Guidelines on transparency
Richtsnoeren 1/2019 voor gedragscodes en toezichthoudende organen in de zin van Verordening 2016/679
guidelines gedragscodes en toezichthoudende organen
Versiegeschiedenis
guidelines meldplicht datalekken
Richtsnoeren 07/2020 over de begrippen 'verwerkingsverantwoordelijke' en 'verwerker' in de AVG
guidelines over de begrippen 'verwerkingsverantwoordelijke'Â en 'verwerker'Â in de AVG
De begrippen 'verwerkingsverantwoordelijke', 'gezamenlijke verwerkingsverantwoordelijke' en 'verwerker' spelen een cruciale rol bij de toepassing van de algemene verordening gegevensbescherming (AVG, Verordening (EU) 2016/679), aangezien ermee wordt bepaald wie verantwoordelijk is voor de naleving van verschillende gegevensbeschermingsregels en op welke wijze betrokkenen hun rechten in de praktijk kunnen uitoefenen. De precieze betekenis van deze begrippen en de criteria voor de jui...
Guidelines 02/2024 on Article 48 GDPR
Article 48 GDPR provides that: ' Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer...
Richtsnoeren 05/2022 voor het gebruik van gezichtsherkenningstechnologie in het kader van rechtshandhaving
guidelines gebruik gezichtsherkenning bij rechtshandhaving
Steeds meer rechtshandhavingsinstanties passen gezichtsherkenningstechnologie toe of zijn voornemens deze toe te passen. De technologie kan worden gebruikt om een persoon te authenticeren of te identificeren en kan voor video's (bijv. CCTV) of foto's worden ingezet, maar ook voor andere doeleinden, waaronder het opzoeken van personen op signaleringslijsten van de politie of het volgen van de bewegingen van een persoon in de openbare ruimte. Gezichtsherkenningstechnologie is gebaseer...
Richtsnoeren 01/2021
Richtsnoeren 02/2022 voor de toepassing van artikel 60 AVG
guidelines voor de toepassing van artikel 60 AVG
Een van de belangrijkste innovaties bij de invoering van de AVG was de introductie van het concept 'één-loketmechanisme'. In gevallen van grensoverschrijdende verwerking is de toezichthoudende autoriteit in de lidstaat van de hoofdvestiging van de verwerkingsverantwoordelijke of verwerker de autoriteit die leidinggeeft aan de handhaving van de AVG met betrekking tot de grensoverschrijdende verwerkingsactiviteiten in kwestie. Daarbij wordt samengewerkt met alle autoriteiten die de gevolge...
Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement
Guidelines on the use of facial recognition technology in the area of law enforcement
More and more law enforcement authorities (LEAs) apply or intend to apply facial recognition technology (FRT). It may be used to authenticate or to identify a person and can be applied on videos (e.g. CCTV) or photographs. It may be used for various purposes, including to search for persons in police watch lists or to monitor a person's movements in the public space. FRT is built on the processing of biometric data , therefore, it encompasses the processing of special categories ...
News (5)
Ensuring human rights-based, global perspectives in the DSA enforcement: the DSA Human Rights Alliance’s guidelines
The DSA Human Rights Alliance has released 'Principles for a Human Rights-Centred Application of the Digital Services Act: A Global Perspective' to guide the European Commission, national policymakers, and regulators as the DSA moves from legislation to enforcement. The recommendations focus on the cross-border effects of DSA enforcement, empowering diverse groups to enforce users’ rights and providing input during enforcement actions. This will ensure that the law is applied in a way that respe
Danish SA Declares Use of Google Analytics Unlawful Without Supplementary Measures
The Danish Data Protection Agency has looked into the tool Google Analytics and its settings, and the terms under which the tool is provided. On the basis of this review, the Danish Data Protection Agency concludes that the tool cannot, without more, be used lawfully. Lawful use requires the implementation of supplementary measures in addition to the settings provided by Google.
Irish Data Protection Commissioner Fines Instagram EUR 405M for Children Privacy Violations
> The fine is the result of an investigation that began in 2020 and focused on the company’s processing of children’s personal data. Based on press reports, the investigation focused on children between the ages of 13 and 17 who were allowed to operate business or creator Instagram accounts. As a result, children’s phone numbers and email addresses were publicly accessible.
CNIL Proposes 60 Million Euros Fine Against French AdTech Company For Non-Compliance with GDPR
> The proposed fine follows complaints filed by privacy NGO ‘Privacy International’ against Criteo. […] Under the CNIL’s sanction procedure, Criteo has the right to respond to the report, both with respect to the alleged infringements and the proposed sanction.
Versterkt mandaat voor Europol
Europol has more possibilities to cooperate with third countries, including the possibility to exchange personal data with countries where sufficient guarantees exist. In addition, Europol should cooperate more closely with the European Public Prosecutor's Office. Furthermore, the Director of Europol can propose the initiation of national investigations into non-cross-border crimes affecting a common interest covered by an EU policy area.