Transparency Reporting Obligations Overview
While individual aspects of transparency reporting are covered by existing topics, there is no comprehensive overview topic that addresses transparency reporting obligations as a unified framework under DSA Article 24, including the general principles, scope, and procedural requirements.
transparency reporting obligations reporting requirements DSA Article 24 service provider reporting mandatory transparency reporting reporting framework transparency obligations reporting procedures
Overview
Legal Framework
Transparency reporting obligations for providers and deployers of AI systems are governed by Chapter IV, "Transparency Obligations for Providers and Deployers of Certain AI Systems," of the EU AI Act. This framework implements the risk-based approach mandated by the Act, as outlined in Recital 26, tailoring specific transparency rules to mitigate the risks posed by certain AI applications. The provisions require clear disclosure when users are interacting with an AI system, mandate the labelling of AI-generated or manipulated content (e.g., deepfakes), and impose specific transparency duties for emotion recognition or biometric categorization systems. These obligations are distinct from the high-risk AI system requirements and target systems with specific transparency-related risks to fundamental rights and public trust.
Practical Application
The authoritative commentary underscores that transparency rules must be implemented proportionally, focusing on the nature and severity of the risk. The obligation is not merely technical but substantive, aimed at enabling meaningful human awareness and understanding. For instance, the requirement to disclose AI interaction must be fulfilled in a timely and conspicuous manner, allowing the user to make an informed decision. For AI-generated content, the labelling must be reliable and machine-readable where applicable. Enforcement will likely focus on whether the provided information is sufficient for an average person to comprehend the AI's role, rather than on the mere presence of a generic disclaimer. Providers and deployers must integrate these disclosures into the user interface or content dissemination channels as an inherent part of the system's deployment.
Key Considerations
- Risk-Based Implementation: Conduct a precise assessment to determine if your AI system falls under the specific categories listed in Chapter IV (e.g., chatbots, emotion recognition, deepfake generation). Do not conflate these with the separate conformity assessment for high-risk systems.
- Integrate Disclosure Design: The transparency notice must be designed for the end-user. For deployers, this means ensuring the provider's transparency information is conveyed effectively at the point of interaction. For providers of generative AI, establish technical means to embed robust, machine-readable metadata in outputs.
- Documentation and Verification: Maintain internal documentation detailing how transparency obligations are met for each relevant AI system. For content labelling, implement and document verification processes to ensure labels are applied accurately and remain associated with the content upon dissemination.
Laws (23)
View all 23Recital 134
Recital 135
Recital 137
Recital 174
Article 50
Transparantieverplichtingen voor aanbieders en gebruiksverantwoordelijken van bepaalde AI-systemen
Recital 132
Article 50
Transparency obligations for providers and deployers of certain AI systems
Recital 26
Recital 135
TRANSPARENCY OBLIGATIONS FOR PROVIDERS AND DEPLOYERS OF CERTAIN AI SYSTEMS
Recital 137
Recital 174
Recital 26
Recital 94
Recital 107
Recital 65
Recital 94
Recital 49
Recital 107
Guidance (20)
Richtsnoeren 1/2019 voor gedragscodes en toezichthoudende organen in de zin van Verordening 2016/679
guidelines gedragscodes en toezichthoudende organen
Versiegeschiedenis
guidelines uitvoeren overeenkomst
Version history
Guidelines on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies
Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679
Guidelines on codes of conduct and monitoring bodies
Version history
Guidelines on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR
The GDPR does not provide for a legal definition of the notion 'transfer of personal data to a third country or to an international organisation'. Therefore, the EDPB provides these guidelines to clarify the scenarios to which it considers that the requirements of Chapter V should be applied and, to that end, it has identified three cumulative criteria to qualify a processing operation as a transfer: - 1) A controller or a processor ('exporter') is subject to the GDPR for the given processing. -...
Guidelines 04/2022 on the calculation of administrative fines under the GDPR
Guidelines on the calculation of administrative fines under the GDPR
The European Data Protection Board (EDPB) has adopted these guidelines to harmonise the methodology supervisory authorities use when calculating of the amount of the fine. These Guidelines complement the previously adopted Guidelines on the application and setting of administrative fines for the purpose of the Regulation 2016/679 (WP253), which focus on the circumstances in which to impose a fine. The calculation of the amount of the fine is at the discretion of the supervisory authority, ...
Guidelines 8/2020 on the targeting of social media users
Guidelines on the targeting of social media users
Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)
Guidelines on the territorial scope of the GDPR
ARTICLE 29 DATA PROTECTION WORKING PARTY
Guidelines on transparency
Richtsnoeren 04/2022 voor de berekening van administratieve geldboeten krachtens de AVG
guidelines berekenen administratieve boetes
Het Europees Comité voor gegevensbescherming (EDPB) heeft deze richtsnoeren vastgesteld met het oog op de harmonisatie van de methode die de toezichthoudende autoriteiten gebruiken om het bedrag van de geldboete te berekenen. Deze richtsnoeren vormen een aanvulling op de eerder vastgestelde Richtsnoeren voor de toepassing en vaststelling van administratieve geldboeten in de zin van Verordening (EU) 2016/679 (WP 253), die betrekking hebben op de omstandigheden waarin een geldboete moet worden opg...
Versiegeschiedenis
guidelines doorgifte van persoonsgegevens tussen overheidsinstanties en -organen binnen en buiten de EER
Richtsnoeren 3/2022 betreffende het herkennen en vermijden van misleidende ontwerppatronen in de interfaces van socialemediaplatforms
guidelines misleidende ontwerppatronen
Deze richtsnoeren bieden praktische aanbevelingen aan aanbieders van sociale media als verwerkingsverantwoordelijken van sociale media, ontwerpers en gebruikers van socialemediaplatforms, over het beoordelen en vermijden van zogenaamde 'misleidende ontwerp patronen' in de interfaces van sociale media die inbreuk maken op de vereisten van de AVG. Daartoe beveelt de EDPB aan dat verwerkingsverantwoordelijken gebruikmaken van interdisciplinaire teams, bestaande uit onder meer ontwerpers, func...
Richtsnoeren 01/2022 over de rechten van betrokkenen Recht van inzage
guidelines recht op inzage
Het recht van inzage van betrokkenen is vastgelegd in artikel 8 van het Handvest van de grondrechten van de Europese Unie. Het maakt al sinds het begin deel uit van het Europese wettelijke kader voor gegevensbescherming en wordt nu verder ontwikkeld met specifiekere, preciezere regels in artikel 15 AVG.
Richtsnoeren 8/2020 betreffende de targeting van gebruikers van sociale media
guidelines targeting gebruikers sociale media
Richtsnoeren 3/2018 over het territoriale toepassingsgebied van de AVG (artikel 3)
guidelines territoriaal toepassingsgebied AVG
Richtsnoeren 05/2020 inzake toestemming overeenkomstig Verordening 2016/679
guidelines toestemming
GROEP GEGEVENSBESCHERMING ARTIKEL 29
guidelines transparantie
Version history
Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR
Guidelines on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR
Versiegeschiedenis
guidelines wisselwerking toepassing artikel 3 en hoofdstuk V AVG
De AVG bevat geen juridische definitie van het begrip 'doorgifte van persoonsgegevens aan een derde land of aan een internationale organisatie'. Daarom verstrekt de EDPB deze richtsnoeren om te verduidelijken op welke scenario's de voorschriften van hoofdstuk V volgens hem moeten worden toegepast en heeft hij daartoe drie cumulatieve criteria vastgesteld waaraan een verwerkingsactiviteit moet voldoen om als een doorgifte te worden aangemerkt: - 1) Een verwerkingsverantwoord...
Enforcement (4)
Telecommunications operator (operator of electronic communications networks and services): Non-compliance with general data processing principles
€4,500,000 fine - Croatian Data Protection Authority (azop)
Following an ex officio investigation, AZOP imposed a EUR 4.5 million fine on a telecommunications operator for multiple GDPR infringements. The controller transferred customer personal data to a processor in the Republic of Serbia (a group company maintaining software). Transfers had been based on Standard Contractual Clauses (SCCs) from 16 April 2020 until at the latest 27 December 2022; after that date, transfers continued without SCCs or equivalent safeguards, despite Serbia lacking an adequ
WhatsApp Ireland Ltd.: Insufficient legal basis for data processing
€5,500,000 fine - Data Protection Authority of Ireland
The Irish DPA (DPC) has fined WhatsApp Ireland Ltd. EUR 5.5 million. The Austrian organization 'None of Your Business' (NOYB) had filed a complaint with the DPA on behalf of an individual. WhatsApp had updated its terms of service shortly before the GDPR came into force. In its new terms of service, WhatsApp informed its users to click 'Agree and Continue' to indicate their agreement with the new terms of service. This was required for further access to the services. WhatsApp assumed that the ac
Meta Platforms Ireland Limited: Non-compliance with general data processing principles
€390,000,000 fine - Data Protection Authority of Ireland
The Irish DPA (DPC) has fined Meta Platforms Ireland Limited EUR 390 million. The DPA has imposed a fine of EUR 210 million for violations related to the provision of its Facebook service and EUR 180 million for violations related to the provision of its Instagram service. The Austrian organization 'None of Your Business' (NOYB) had filed a complaint with the DPA on behalf of two individuals. Meta had updated its terms of service shortly before the GDPR came into force. In its new terms of servi
WhatsApp Ireland Ltd.: Insufficient fulfilment of information obligations
€225,000,000 fine - Data Protection Authority of Ireland
The Irish DPA (DPC) has imposed a fine of EUR 225,000,000 on WhatsApp Ireland Ltd. The DPA had started extensive investigations into the messaging service's compliance with transparency obligations back in December 2018. In this context, the DPC investigated whether WhatsApp complied with its obligations under the GDPR regarding the provision of information and the transparency of this information to users and non-users of WhatsApp. In the course of the investigation, the DPC found that WhatsApp
News (5)
VDAI (Lithuania) - Decision No. 3R-1700.
Facts: The data protection authority (DPA) ruled that a gambling operator had lawfully transferred data to a processor for the purpose of sending invitations to sporting events, but found that the responsible party had violated its transparency obligations by failing to inform the data subject about the categories of recipients of the data. The DPA also ruled that the operator of a gambling website had lawfully transferred data to a processor for the purpose of sending invitations to sporting events, as the engagement of a processor does not require a separate legal basis. However, the court...
VDAI (Lithuania) - Decision No. 3R-1700
Facts }}}} The DPA held that a gambling operator lawfully transferred data to a processor for sending invitations to sporting events, but found that the controller breached transparency obligations by not informing the data subject about the categories of data recipients.The DPA held that the operator of a gambling site lawfully transferred data to a processor for sending invitations to sporting events since the engagement of a processor does not require a separate legal basis. However, the cour
Is the AI Act caging ChatGPT and other General Purpose Artificial Intelligence systems?
> The growth of generative artificial intelligence systems has led EU lawmakers to focus on General Purpose AI in drafting the AI Act, which will set the framework governing artificial intelligence in the European Union. As previously reported, the EU Parliament has already broadened the definition of artificial intelligence for the purposes of the AI Act… The post Is the AI Act caging ChatGPT and other General Purpose Artificial Intelligence systems? appeared first on GamingTechLaw.
Hunton geeft een samenvatting van twee artikelen uit de nieuwe SCC-richtlijnen: het onderdeel over "lokale wetgeving en toegang tot overheidsinstanties".
Volgens artikel 14 van de Standaard Contractuele Bepalingen (SCC's) voor gegevensuitwisseling, moet de partij die de gegevens importeert een risicoanalyse uitvoeren om te verifiëren of de wet- en regelgeving en praktijken van het ontvangende derde land de mogelijkheid van de gegevensimporteur om te voldoen aan de SCC's voor gegevensuitwisseling, kunnen belemmeren. Indien de risicoanalyse aantoont dat de SCC's voor gegevensuitwisseling op zichzelf niet voldoende zijn om een in wezen gelijkwaardig beschermingsniveau te garanderen voor de persoonsgegevens in het ontvangende derde land, moeten aanvullende waarborgen worden geïmplementeerd, zoals end-to-end-versleuteling.
Hunton summarises two articles from the new SCCs: the 'local laws and government access' section
Under Clause 14 of the Data Transfer SCCs, the data importer must carry out a transfer risk assessment to verify whether the laws and practices of the receiving third country could prevent the data importer from complying with the Data Transfer SCCs. If the risk assessment shows that the Data Transfer SCCs alone will not ensure an essentially equivalent level of protection for the personal data in the receiving third country, supplementary safeguards will need to be implemented, such as end-to-e