The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) adopted Joint Opinion 5/2021 on the proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Joint Opinion).
The Joint Opinion follows the European Commission’s (Commission) Proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (AI) which was presented on the 21st April 2021 (Proposed Regulation). The Proposed Regulation laid out (i) harmonised rules for the placing on the market, the putting into service and the use of AI systems in the EU; (ii) prohibitions of certain AI practices; (iii) specific requirements for high-risk AI systems and obligations for operators of such systems; (iv) harmonised transparency rules for AI systems; and (v) rules on market monitoring and surveillance. We have previously summarised the obligations, scope and effect of the Proposed Regulation in our previous client alert, here.
The EDPB and the EDPS welcome the concern of the Commission in addressing the use of AI within Europe and stress that the Proposed Regulation has important data protection implications. Both authorities agree with the risk-based approach underpinning the Proposed Regulation and further welcome the fact that the Proposed Regulation designates the EDPS as the competent authority and the market surveillance authority for the supervision of the EU institutions. However, they note the role and tasks of the EDPS should be further clarified, specifically to its role as a market surveillance authority.
The EDPB and the EDPS also set out a number of concerns and recommendations:
- The EDPB and EDPS have serious concerns regarding the exclusion of international law enforcement cooperation from the scope of the Proposed Regulation. This exclusion creates a significant risk of circumvention (e.g. third countries or international organisations operating high-risk applications relied on by public authorities in the EU).
- While the EDPB and EDPS welcome the risk-based approach of the Proposed Regulation, the concept of “risk to fundamental rights” should be clarified and put in line with the General Data Protection Regulation (GDPR).
- The EDPB and the EDPS note that some of the provisions in the Proposed Regulation leave out the risks for groups of individuals or the society as a whole (e.g., collective effects with a particular relevance, like group discrimination or expression of political opinions in public spaces). The EDPB and the EDPS recommend that societal/group risks posed by AI systems should be equally assessed and mitigated.
- It should be made explicit that existing EU data protection legislation apply to any processing of personal data falling under the scope of the Proposed Regulation.
- Given the risks posed by remote biometric identification in publically accessible places, the EDPB and the EDPS request a general ban on any use of AI for automated recognition of human features in publicly accessible spaces, such as recognition of faces, gait, fingerprints, DNA, voice, keystrokes and other biometric or behavioural signals, in any context.
- They also recommend a ban on AI systems using biometrics to categorise individuals based on ethnicity, gender, political or sexual orientation, or other grounds on which discrimination is prohibited under Article 21 of the Charter of Fundamental Rights.
- The EDPB and EDPS consider the use of AI to infer emotions of a natural person as being highly undesirable and argue that this should be prohibited, except for very specified cases, such as some health purposes where the recognition of the patient’s emotions is important on medical grounds. The use of AI for any type of social scoring should also be prohibited.
- The role of the data protection authorities (DPAs) in relation to AI was also discussed. The joint opinion argues that the DPAs should also be designated as the national supervisory authorities for the purposes of AI oversight, as the EU DPAs are already applying the GDPR and Law Enforcement Directive to artificial intelligence systems involving personal data. This would create a more harmonised regulatory approach and contribute to the consistent interpretation of data processing provisions across the EU and avoid contradictions in its enforcement among EU Member States.
- Remote biometric identification of individuals in publicly accessible spaces poses a high risk of intrusion into individuals’ private lives. Therefore, the EDPB and the EDPS consider that a stricter approach is necessary. The use of AI systems might present serious proportionality problems, since it might involve the processing of data of an indiscriminate and disproportionate number of data subjects for the identification of only a few individuals (e.g., passengers in airports and train stations).
Even though the EDPB and the EDPS welcome the Proposed Regulation of the Commission, they consider that the Proposed Regulation needs to be adapted on several issues to ensure its applicability and efficiency. While the Joint Opinion is not binding, it will carry weight with the Commission, EU countries and the European Parliament. A lot of work remains to be done before we can see a well-functioning legal framework that supplements the GDPR in protecting the fundamental rights of EU citizens while fostering innovation.