BELGIUM Law and Practice Contributed by: Benjamin Docquir and Margo Cornette, Osborne Clarke
tionship between the GDPR and the AI Act in AI system development. 1.6 Interplay Between AI and Data Protection Regulations The AI Act and GDPR should be viewed as com - plementary frameworks, each with their own rules and obligations. Since many AI systems deal with personal data, staying compliant with both set of rules is a must. The following paral - lels can be identified between the AI Act and the GDPR. • Scope: The GDPR’s material scope covers the processing of personal data by auto - mated means and non-automated means if the data forms part of a filing system. Its territorial scope is based on establishment and target criteria applying to entities estab - lished in the EU, and to those outside the EU processing data related to offering goods or services to, or monitoring individuals in, the EU. In contrast, the EU AI Act’s material scope focuses on AI systems and extends to providers, deployers, importers, distribu - tors and authorised representatives. The EU AI Act includes a detailed risk categorisation framework, with most obligations applying to high-risk AI systems. The EU AI Act has a broad geographical scope of application and can catch entities based outside the EU in different respects. • Roles: When using AI systems, it is impor - tant to consider roles and obligations under both the GDPR and the AI Act, as different requirements may apply based on one’s role. The GDPR distinguishes between controllers and processors, with controllers bearing the strictest compliance responsibilities. The AI Act categorises actors into providers, deploy - ers, distributors, importers, etc, with provid - ers and deployers being the most significant
in practice. However, the roles may overlap, completely or in part, with a deployer qualify - ing as a data controller or a provider qualify - ing as a data processor, etc. • Principles: The GDPR sets out seven data protection principles: lawfulness, fairness, transparency, purpose limitation, data mini - misation, accuracy, storage limitation, and integrity and confidentiality (Article 5 of the GDPR). The AI Act outlines general principles for all AI systems and specific obligations to imple - ment these principles, influenced by the OECD AI Principles and the High-Level Expert Group (HLEG)-AI’s seven ethical principles. Recital 27 of the AI Act lists principles such as human agency and oversight, technical robustness and safety, privacy and data governance, transpar - ency, diversity, non-discrimination, fairness and social and environmental wellbeing. These principles are detailed in various articles of the AI Act. For example, Article 10 prescribes data governance for high-risk AI systems, Arti - cle 13 addresses transparency, Articles 14 and 26 introduce human oversight and monitoring requirements, and Article 27 mandates funda - mental rights impact assessments for certain high-risk AI systems. • Human oversight and automated decision- making: Article 22 of the GDPR grants data subjects the right not to be subjected to deci - sions based solely on automated processing unless necessary for a contract, authorised by law or based on explicit consent. It also mandates measures to protect fundamen - tal rights, including human intervention and the ability to contest decisions. Similarly, the AI Act requires high-risk AI systems to allow effective human oversight during use and mandates technical and organisational
16
CHAMBERS.COM
Powered by FlippingBook