Interim Measures under AI Act
This new topic is needed to specifically address interim measures provisions in the AI Act, which allow authorities to take temporary protective actions against high-risk AI systems that pose immediate risks to fundamental rights, safety, or public security, pending full compliance assessment or corrective actions.
interim measures temporary measures emergency measures urgent intervention provisional measures precautionary measures suspension measures immediate action
Overview
Legal Framework
Article 83 of the AI Act governs interim measures. It empowers national supervisory authorities to adopt provisional, temporary measures against providers or deployers of AI systems where they identify a reasonable likelihood of an imminent risk to health, safety, or fundamental rights. This power is triggered before a final decision on non-compliance is reached, serving as a crucial protective mechanism. The provision mandates that such measures must be proportionate, reasoned, and limited in time, allowing for a swift response to urgent threats while safeguarding the rights of the concerned operator.
Practical Application
The AI Act’s interim measures framework is designed to operate alongside and be informed by existing enforcement structures, such as those under the GDPR and DSA. Recitals 114 and 138 of the DSA underscore the necessity for authorities to have sufficient powers, including for provisional actions in cases of serious harm, which informs the interpretation of the AI Act’s similar provisions. While specific AI Act case law is still developing, the established jurisprudence from the Court of Justice of the European Union on interim relief (e.g., under Article 278 TFEU) and the binding dispute resolution mechanism of the EDPB under Article 70 GDPR provide an analog. These principles indicate that interim measures require a prima facie case of infringement and a demonstration of urgency to prevent serious and irreparable damage. Authorities must balance the severity of the alleged risk against the potential impact of suspending an AI system’s operation.
Key Considerations
- Trigger for Action: Organizations should understand that authorities can act based on a reasonable likelihood of an imminent risk. This is a lower threshold than proving a definitive violation, meaning proactive risk monitoring and mitigation are critical to avoid being subject to such measures.
- Procedural Rights: While interim measures can be adopted urgently, they are subject to the right to be heard. Providers or deployers will typically have an opportunity to submit observations before a measure is imposed, unless the urgency of the situation dictates otherwise. Legal counsel should be prepared to act swiftly in such proceedings.
- System Documentation: Maintaining comprehensive and up-to-date technical documentation and conformity assessment records is vital. This evidence is the primary tool for contesting an authority's claim of an imminent risk and arguing that any proposed interim measure is disproportionate.
Laws (12)
Case Law (3)
Rechtbank Amsterdam
Rechtbank Amsterdam
Gevraagde voorzieningen geweigerd
Meta Platforms v noyb
C-252/21 (Meta Platforms (noyb))
GDPR consent requirements and lead supervisory authority mechanism.
Google LLC v CNIL
C-507/17 (Google Territorial Scope)
Right to delisting does not require global de-referencing under EU law.
Guidance (7)
Guidelines 02/2022 on the application of Article 60 GDPR
Guidelines on the application of Article 60 GDPR
With the introduction of the GDPR, the concept of the one-stop shop was established as one of the main innovations. In cross-border processing cases, the supervisory authority in the Member State of the controller's or processor's main establishment is the authority leading the enforcement of the GDPR for the respective cross-border processing activities, in cooperation with all the authorities which may face the effects of the processing activities at stake: be it through the establishments ...
Guidelines 10/2020 on restrictions under Article 23 GDPR
Guidelines on restrictions under Article 23 GDPR
Richtsnoeren 02/2022 voor de toepassing van artikel 60 AVG
guidelines voor de toepassing van artikel 60 AVG
Een van de belangrijkste innovaties bij de invoering van de AVG was de introductie van het concept 'één-loketmechanisme'. In gevallen van grensoverschrijdende verwerking is de toezichthoudende autoriteit in de lidstaat van de hoofdvestiging van de verwerkingsverantwoordelijke of verwerker de autoriteit die leidinggeeft aan de handhaving van de AVG met betrekking tot de grensoverschrijdende verwerkingsactiviteiten in kwestie. Daarbij wordt samengewerkt met alle autoriteiten die de gevolge...
Versiegeschiedenis
guidelines meldplicht datalekken
Guidelines 03/2022 on Deceptive design patterns in social media platform interfaces: how to recognise and avoid them
Guidelines on deceptive design patterns in social media platform interfaces: how to recognise and avoid them
These Guidelines offer practical recommendations to social media providers as controllers of social media, designers and users of social media platforms on how to assess and avoid so-called 'deceptive design patterns' in social media interfaces that infringe on GDPR requirements. To this end, the EDPB recommends that controllers make use of interdisciplinary teams, consisting, among others, of designers, data protection officers and decision-makers. It is important to note ...
Richtsnoeren 10/2020 met betrekking tot de beperkingen krachtens artikel 23 AVG
guidelines beperkingen rechten van betrokkenen
Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679
Guidelines on codes of conduct and monitoring bodies
Enforcement (2)
Klass Wagen S.R.L.: Onvoldoende technische en organisatorische maatregelen om de informatiebeveiliging te waarborgen.
Boete van €7.000 - Roemeense nationale toezichthoudende autoriteit voor de verwerking van persoonsgegevens (ANSPDCP).
De Roemeense autoriteit voor gegevensbescherming (DPA) heeft Klass Wagen S.R.L. een boete van 7.000 euro opgelegd. De verantwoordelijke partij heeft een cyberincident ervaren doordat een voormalige werknemer de inloggegevens van collega's heeft bekendgemaakt, waardoor toegang werd verkregen tot de software voor contractbeheer. Bovendien heeft de verantwoordelijke partij geen onmiddellijke actie ondernomen vanwege interne vertragingen.
Klass Wagen S.R.L.: Insufficient technical and organisational measures to ensure information security
€7,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
The Romanian DPA has imposed a fine of EUR 7,000 on Klass Wagen S.R.L. The controller suffered a cyber incident due to a former employee exposing the login credentials of colleagues to access the contract management software. The controller also failed to take immediate action due to internal delays.