AI Provider Transparency
This specific topic is needed to comprehensively cover the transparency obligations framework that applies to both providers and deployers of AI systems, which is a distinct and important compliance area under the AI Act that warrants its own dedicated topic for better organization and retrieval.
transparency obligations provider transparency deployer transparency AI system transparency information provision AI disclosure requirements AI user information AI operator information
Overview
Legal Framework
Article 50 of the AI Act governs the specific transparency obligations for providers and deployers of certain AI systems. This provision establishes a distinct, targeted set of rules for AI systems that are not classified as high-risk but pose specific transparency risks. The obligations mandate that providers of AI systems designed to interact with natural persons must disclose that the user is interacting with an AI system, unless this is obvious from the circumstances and the context of use. Furthermore, providers of AI systems that generate or manipulate image, audio, or video content constituting a deepfake must disclose that the content has been artificially generated or manipulated.
Practical Application
These rules apply to a defined subset of AI systems outside the high-risk framework, focusing on user awareness and content authenticity. The requirement for disclosure of AI interaction is interpreted as needing to be provided in a timely, clear, and intelligible manner to the user. For deepfakes, the disclosure must be machine-readable and provided to deployers, who are then responsible for making end-users aware of the artificial nature of the content. This creates a chain of responsibility: providers equip deployers with the necessary information and tools for compliance, while deployers must implement effective disclosure to the public. The rationale, as indicated in Recital 26, is to address specific risks of manipulation and deception without imposing the full weight of high-risk compliance. Enforcement would focus on the absence of such disclosures where they are legally required.
Key Considerations
- Provider-Deployer Handoff: Providers must ensure technical solutions for disclosure (e.g., APIs, metadata standards) are available to deployers, particularly for deepfake detection.
- Contextual Assessment: The "unless obvious" exception for AI interaction disclosure requires a careful, documented analysis of the typical user's reasonable expectations in the specific use context.
- Operational Integration: Deployers must integrate received transparency information into their user interfaces or content presentation workflows to ensure the end-user disclosure is effective and unavoidable.
Laws (23)
View all 23Recital 135
Recital 137
Recital 157
Recital 174
Article 50
Transparantieverplichtingen voor aanbieders en gebruiksverantwoordelijken van bepaalde AI-systemen
Recital 26
TRANSPARENCY OBLIGATIONS FOR PROVIDERS AND DEPLOYERS OF CERTAIN AI SYSTEMS
Recital 135
Recital 137
Recital 157
Recital 174
Article 50
Transparency obligations for providers and deployers of certain AI systems
Recital 26
Recital 104
Recital 132
Recital 134
Recital 107
Recital 107
Recital 94
Case Law (1)
Guidance (25)
View all 25GROEP GEGEVENSBESCHERMING ARTIKEL 29
guidelines transparantie
VERSIEGESCHIEDENIS
binding corporate rules voor verwerkingsverantwoordelijken
Version history
Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR
Guidelines on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR
Versiegeschiedenis
guidelines wisselwerking toepassing artikel 3 en hoofdstuk V AVG
De AVG bevat geen juridische definitie van het begrip 'doorgifte van persoonsgegevens aan een derde land of aan een internationale organisatie'. Daarom verstrekt de EDPB deze richtsnoeren om te verduidelijken op welke scenario's de voorschriften van hoofdstuk V volgens hem moeten worden toegepast en heeft hij daartoe drie cumulatieve criteria vastgesteld waaraan een verwerkingsactiviteit moet voldoen om als een doorgifte te worden aangemerkt: - 1) Een verwerkingsverantwoord...
Versiegeschiedenis
guidelines uitvoeren overeenkomst
Version history
Guidelines on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies
Guidelines 01/2022 on data subject rights - Right of access
Guidelines on data subject rights - Right of access
The right of access of data subjects is enshrined in Art. 8 of the EU Charter of Fundamental Rights. It has been a part of the European data protection legal framework since its beginning and is now further developed by more specified and precise rules in Art. 15 GDPR.
Guidelines 03/2022 on Deceptive design patterns in social media platform interfaces: how to recognise and avoid them
Guidelines on deceptive design patterns in social media platform interfaces: how to recognise and avoid them
These Guidelines offer practical recommendations to social media providers as controllers of social media, designers and users of social media platforms on how to assess and avoid so-called 'deceptive design patterns' in social media interfaces that infringe on GDPR requirements. To this end, the EDPB recommends that controllers make use of interdisciplinary teams, consisting, among others, of designers, data protection officers and decision-makers. It is important to note ...
Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679
Guidelines on derogations of Article 49
Version history
Guidelines on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR
The GDPR does not provide for a legal definition of the notion 'transfer of personal data to a third country or to an international organisation'. Therefore, the EDPB provides these guidelines to clarify the scenarios to which it considers that the requirements of Chapter V should be applied and, to that end, it has identified three cumulative criteria to qualify a processing operation as a transfer: - 1) A controller or a processor ('exporter') is subject to the GDPR for the given processing. -...
Guidelines 04/2022 on the calculation of administrative fines under the GDPR
Guidelines on the calculation of administrative fines under the GDPR
The European Data Protection Board (EDPB) has adopted these guidelines to harmonise the methodology supervisory authorities use when calculating of the amount of the fine. These Guidelines complement the previously adopted Guidelines on the application and setting of administrative fines for the purpose of the Regulation 2016/679 (WP253), which focus on the circumstances in which to impose a fine. The calculation of the amount of the fine is at the discretion of the supervisory authority, ...
Guidelines 8/2020 on the targeting of social media users
Guidelines on the targeting of social media users
Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)
Guidelines on the territorial scope of the GDPR
ARTICLE 29 DATA PROTECTION WORKING PARTY
Guidelines on transparency
Guidelines 02/2021 on virtual voice assistants
Guidelines on virtual voice assistants
A virtual voice assistant (VVA) is a service that understands voice commands and executes them or mediates with other IT systems if needed. VVAs are currently available on most smartphones and tablets, traditional computers, and, in the latest years, even standalone devices like smart speakers. VVAs act as interface between users and their computing devices and online services such as search engines or online shops. Due to their role, VVAs have access to a huge amount of personal...
Richtsnoeren 2/2018 inzake afwijkingen op grond van artikel 49 van Verordening 2016/679
guidelines afwijkingen van artikel 49
Richtsnoeren 04/2022 voor de berekening van administratieve geldboeten krachtens de AVG
guidelines berekenen administratieve boetes
Het Europees Comité voor gegevensbescherming (EDPB) heeft deze richtsnoeren vastgesteld met het oog op de harmonisatie van de methode die de toezichthoudende autoriteiten gebruiken om het bedrag van de geldboete te berekenen. Deze richtsnoeren vormen een aanvulling op de eerder vastgestelde Richtsnoeren voor de toepassing en vaststelling van administratieve geldboeten in de zin van Verordening (EU) 2016/679 (WP 253), die betrekking hebben op de omstandigheden waarin een geldboete moet worden opg...
Versiegeschiedenis
guidelines doorgifte van persoonsgegevens tussen overheidsinstanties en -organen binnen en buiten de EER
Richtsnoeren 3/2022 betreffende het herkennen en vermijden van misleidende ontwerppatronen in de interfaces van socialemediaplatforms
guidelines misleidende ontwerppatronen
Deze richtsnoeren bieden praktische aanbevelingen aan aanbieders van sociale media als verwerkingsverantwoordelijken van sociale media, ontwerpers en gebruikers van socialemediaplatforms, over het beoordelen en vermijden van zogenaamde 'misleidende ontwerp patronen' in de interfaces van sociale media die inbreuk maken op de vereisten van de AVG. Daartoe beveelt de EDPB aan dat verwerkingsverantwoordelijken gebruikmaken van interdisciplinaire teams, bestaande uit onder meer ontwerpers, func...
Enforcement (7)
Telecommunications operator (operator of electronic communications networks and services): Non-compliance with general data processing principles
€4,500,000 fine - Croatian Data Protection Authority (azop)
Following an ex officio investigation, AZOP imposed a EUR 4.5 million fine on a telecommunications operator for multiple GDPR infringements. The controller transferred customer personal data to a processor in the Republic of Serbia (a group company maintaining software). Transfers had been based on Standard Contractual Clauses (SCCs) from 16 April 2020 until at the latest 27 December 2022; after that date, transfers continued without SCCs or equivalent safeguards, despite Serbia lacking an adequ
BANCO BILBAO VIZCAYA ARGENTARIA, S.A.: Insufficient legal basis for data processing
€84,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine on BANCO BILBAO VIZCAYA ARGENTARIA, S.A.. During its investigation, the DPA found that the controller had registered alleged debts of a former client to the risk information center of the Spanish Central Bank without a valid legal basis. The DPA also found that the controller had not adequately complied with the former customer's request for access to their personal data. The original fine of EUR 140,000 was reduced to EUR 84,000 due to voluntary payment and ad
WhatsApp Ireland Ltd.: Insufficient legal basis for data processing
€5,500,000 fine - Data Protection Authority of Ireland
The Irish DPA (DPC) has fined WhatsApp Ireland Ltd. EUR 5.5 million. The Austrian organization 'None of Your Business' (NOYB) had filed a complaint with the DPA on behalf of an individual. WhatsApp had updated its terms of service shortly before the GDPR came into force. In its new terms of service, WhatsApp informed its users to click 'Agree and Continue' to indicate their agreement with the new terms of service. This was required for further access to the services. WhatsApp assumed that the ac
Meta Platforms Ireland Limited: Non-compliance with general data processing principles
€390,000,000 fine - Data Protection Authority of Ireland
The Irish DPA (DPC) has fined Meta Platforms Ireland Limited EUR 390 million. The DPA has imposed a fine of EUR 210 million for violations related to the provision of its Facebook service and EUR 180 million for violations related to the provision of its Instagram service. The Austrian organization 'None of Your Business' (NOYB) had filed a complaint with the DPA on behalf of two individuals. Meta had updated its terms of service shortly before the GDPR came into force. In its new terms of servi
WhatsApp Ireland Ltd.: Insufficient fulfilment of information obligations
€225,000,000 fine - Data Protection Authority of Ireland
The Irish DPA (DPC) has imposed a fine of EUR 225,000,000 on WhatsApp Ireland Ltd. The DPA had started extensive investigations into the messaging service's compliance with transparency obligations back in December 2018. In this context, the DPC investigated whether WhatsApp complied with its obligations under the GDPR regarding the provision of information and the transparency of this information to users and non-users of WhatsApp. In the course of the investigation, the DPC found that WhatsApp
MALTA DPA: Insufficient fulfilment of data subjects rights
€20,000 fine - Data Protection Commissioner of Malta
The controller failed to comply with a data subject's right to information. In addition, the data protection policy did not meet the transparency requirements.
MALTA DPA: Insufficient fulfilment of data subjects rights
€4,000 fine - Data Protection Commissioner of Malta
The controller had sent unsolicited commercial messages. In addition, the privacy policy did not comply with transparency requirements and the controller failed to comply with requests for information from data subjects.
News (5)
AI Omnibus: Reject the proposals to undermine transparency in the AI Act
The European Commission’s dangerous and misguided Digital Omnibus proposal includes a dangerous rollback of transparency requirements in the AI Act. 60 civil society organisations, independent public authorities and individuals, including EDRi, urge EU lawmakers to reject a change that would risk weakening enforcement, legal certainty, and the protection of fundamental rights, while offering negligible benefits for companies. The post AI Omnibus: Reject the proposals to undermine transparency in
VDAI (Lithuania) - Decision No. 3R-1700
Facts }}}} The DPA held that a gambling operator lawfully transferred data to a processor for sending invitations to sporting events, but found that the controller breached transparency obligations by not informing the data subject about the categories of data recipients.The DPA held that the operator of a gambling site lawfully transferred data to a processor for sending invitations to sporting events since the engagement of a processor does not require a separate legal basis. However, the cour
VDAI (Lithuania) - Decision No. 3R-1700.
Facts: The data protection authority (DPA) ruled that a gambling operator had lawfully transferred data to a processor for the purpose of sending invitations to sporting events, but found that the responsible party had violated its transparency obligations by failing to inform the data subject about the categories of recipients of the data. The DPA also ruled that the operator of a gambling website had lawfully transferred data to a processor for the purpose of sending invitations to sporting events, as the engagement of a processor does not require a separate legal basis. However, the court...
Is the AI Act caging ChatGPT and other General Purpose Artificial Intelligence systems?
> The growth of generative artificial intelligence systems has led EU lawmakers to focus on General Purpose AI in drafting the AI Act, which will set the framework governing artificial intelligence in the European Union. As previously reported, the EU Parliament has already broadened the definition of artificial intelligence for the purposes of the AI Act… The post Is the AI Act caging ChatGPT and other General Purpose Artificial Intelligence systems? appeared first on GamingTechLaw.
Overview of EU Strategy for Data: Digital Services Act
> The Digital Services Act was published in the Official Journal of the European Union Oct. 27. The DSA, which harmonizes conditions for the provision of intermediary services and increases transparency requirements for online intermediaries, will enter into force Nov. 16. In the latest installment of a multipart series, the IAPP Research and Insights team provides privacy professionals with an overview of the DSA, including the law's objectives, key requirements and enforcement.