BELGIUM Law and Practice Contributed by: Benjamin Docquir and Margo Cornette, Osborne Clarke
measures to ensure proper use and oversight. Without adequate human oversight, AI sys - tems may fall under the automated decision- making framework of Article 22 of the GDPR. • Reporting incidents: Reporting obligations for serious incidents or malfunctions of AI systems can overlap with GDPR reporting requirements when personal data is involved. For example, deployers using AI must inform the provider, and possibly the distributor or market surveillance authorities, if they identify a significant risk or serious incident. If such an incident results in a data breach compro - mising the data processed by the AI system, they must also notify the relevant DPA within 72 hours and, if necessary, the affected data subjects. This ensures compliance with both the AI Act and GDPR requirements. • Penalties: Both the GDPR and the AI Act impose administrative fines based on the severity of the infringement. Under the GDPR, minor infringements can result in fines up to EUR10 million or 2% of global annual turno - ver, while serious breaches can lead to fines up to EUR20 million or 4% of global annual turnover. The AI Act outlines penalties in Article 99, with serious breaches, such as non-compliance with prohibited AI practices, resulting in fines up to EUR35 million or 7% of global annual turnover. Minor breaches, like providing incorrect information, can incur fines up to EUR7.5 million or 1% of global annual turnover. The AI Act and the GDPR have different scopes and requirements, which can create challeng - es for compliance and consistency. Additional guidance from authorities such as the EDPB, the European Commission and/or the AI Office is of great value. It is worth mentioning the following guidelines.
• On 19 September 2024, the DPA released guidelines on AI and data protection, detailing the relationship between the GDPR and the AI Act in AI system development. • On 18 December 2024, the EDPB adopted Opinion 28/2024 on the use of personal data for AI model development and deployment. The opinion addresses (i) the conditions under which AI models can be considered anonymous, (ii) the use of legitimate inter - est as a legal basis for AI development and use, and (iii) the implications of developing AI models with unlawfully processed personal data. It also considers the use of both first and third-party data. Currently, fines imposed by the DPA are much more common than private litigation concerning data protection infringements. This is most likely due to the high costs of litigation combined with the relatively low number of claims for damages. 2.2 Recent Case Law In 2024, the CJEU issued several rulings regard - ing standard damages in relation to data protec - tion, as outlined in Article 82 of the GDPR. Key elements to consider include the following: • not every breach of the GDPR automatically gives rise to a claim for compensation under Article 82 of the GDPR; • “damage” must be interpreted broadly; • damage caused by a breach of personal data protection is no less serious than bodily injury; 2. Privacy Litigation 2.1 General Overview • Article 82 of the GDPR does not have a threshold of seriousness or a minimum threshold that the damage must exceed;
17
CHAMBERS.COM
Powered by FlippingBook