The Evolving Landscape of AI Governance and Regulation in Europe: What Data Protection Officers Need to Know

Introduction

Artificial intelligence ("AI") promises to transform industries and enhance products and services in countless ways. However, it also raises new and complex questions around ethics, transparency, bias, and privacy. As a result, governments around the world are developing new laws and regulations to ensure AI is trustworthy and aligned with social values.

In Europe, policymakers have taken a leading role in shaping AI governance. New rules proposed by the European Union aim to minimise risks from AI while enabling innovation. As these initiatives take shape, data protection officers have an important responsibility in educating teams and ensuring organisational compliance. This post provides an overview of key developments in European AI regulation and guidance for data protection officers on preparing.

‍

The role of the Data Protection Officer in the AI world

Many organisations are now frequently turning to their Data Protection Officer for guidance on this area and there’s a strong need to up-skill, fast.

The EU’s Evolving AI Regulatory Framework   

In April 2021, the European Commission issued its first comprehensive set of legal requirements for AI systems under a proposed Artificial Intelligence Act (the “EU AIA”).This ground-breaking proposal categorises AI by risk levels and introduces mandatory rules for high-risk applications like those used in critical infrastructure, employment, law enforcement, and more.

Requirements for high-risk systems cover areas such as risk management, data quality, documentation, transparency, human oversight, and robustness. The act could take effect as early as late 2023/ Q1 2024 following legislative approval. You can read more about it in detail in one of our previous blogs, accessible here.

Beyond the AI Act, the EU is also developing additional initiatives to complement the regulatory landscape:

• An AI liability directive, along with an update to existing product liability legislation (we’ve also prepared a blog on this! See here).
• The Data Act, which will enter into force in early 2025 will impose new data access and sharing requirements that may influence AI training data.
• And of course the obligations of GDPR (which I'm sure you're all familiar with) will continue to apply, with a renewed focus on the automated decision making provisions.

We are also seeing many important standards emerging in this area. CEN-CENELEC have formed a Joint Technical Committee to work on harmonised standards for AI and we expect that these will play a critical role in demonstrating compliance with the EU AI Act in future.

Implications for Data Protection Officers

As a data protection officer, it is essential to monitor emerging regulations and understand how your organisation may need to adapt AI policies, processes, and systems for compliance. Here are some best practices:

• Start to build an inventory of where and how AI is used across your organisation (this is where Enzai can help!).
• Look to adopt some frameworks around how you build and deploy AI, and make sure technical teams are aware of these and use them - well designed frameworks will cover off the legal requirements.
• Closely review intended data usage, automated decision-making, and other areas implicated by new regulations. Update data protection impact assessments as needed.
• Work cross-functionally with engineering, product, legal, and leadership to implement required changes and ensure a compliant AI governance strategy.
• Monitor compliance of these systems over time, because things can change quite quick in this area.
• Monitor enforcement timelines and actions by EU national authorities as regulations take effect.
• Evaluate and select AI systems, services, and vendors that adhere to strong ethics principles and applicable legal standards.
• Champion responsible data use, fair and explainable algorithms, and other pillars of trustworthy AI within your organisation.

It is an exciting time to be a Data Protection Officer and the new opportunities and challenges that AI presents are boundless for all businesses, across all industry sectors. Staying abreast of developments will help ensure both compliance and competitive advantage.

‍

To learn more read about Enzai's solutions for AI Governance, Model Risk Management, AI Regulations, Generative AI and the EU AI Act.