GDPR and AI Act: a synergistic interaction for ethical governance of AI

Summary

• 1. Introduction: AI, personal data and regulation
• 2. Common objectives of the GDPR and the AI Act
• 3. Strategic complementarity
• 4. The differences in scope between GDPR and AI Act
• 5. Similarities in governance and compliance
• 6. Conclusion: responsible AI at the heart of Europe

1. Introduction: AI, personal data and regulation

Artificial intelligence (AI) is profoundly transforming our societies, in areas as varied as health, finance, mobility and even education. However, this technological revolution raises many concerns: massive collection of personal data, algorithmic biases, opaque automated decisions, risks of surveillance or discrimination.

To regulate these practices, two major European texts intersect today: the GDPR (General Data Protection Regulation) and the very recent AI Act (Artificial Intelligence Law). Their interaction aims to reconcile technological innovation, protection of fundamental freedoms and digital security.

2. Common objectives of the GDPR and the AI Act

The GDPR and the AI Act share the same objective: to guarantee a framework of trust for European citizens in the face of advanced digital technologies.

• The GDPR, which came into force in 2018, protects personal data and imposes strong principles: minimization, consent, transparency, security, personal rights...
• The AI Act, currently being adopted, aims to regulate AI systems according to a level of risk (unacceptable, high, limited, minimal). It imposes reinforced obligations for high-risk AIs.

Together, they create a normative ecosystem that promotes ethical, reliable AI consistent with European values.

3. Strategic complementarity

The two texts do not compete with each other: they complement each other.

• The GDPR regulates the use of personal data.
• The AI Act regulates the very use of AI systems, whether or not they process personal data.

Thus, a predictive algorithm used in recruitment is both:

• subject to the GDPR (because it processes CVs, therefore personal data),
• and the AI Act (because it can influence high-impact decisions).

The GDPR provides guarantees on people's rights, the AI Act on the technical reliability and transparency of systems.

Good to know: the GDPR requires an AIPD (Data Protection Impact Analysis). The AI Act also requires risk analysis for high-risk AIs, incorporating bias, opacity, and potential harm.

4. The differences in scope between GDPR and AI Act

Geographic scope

• GDPR: applies to any processing of personal data, as soon as a European citizen is concerned.
• AI Act: applies to any AI system used, deployed or marketed in the EU, even if developed outside the EU.

Typology of actors

• GDPR: targets data controllers, subcontractors, DPOs.
• AI Act: defines a complex chain of responsibility: supplier, importer, distributor, deployer, agent...

The GDPR is data-centric. The AI Act focuses on the technology product.

5. Similarities in governance and compliance

Companies subject to the two regulations will have to put in place robust governance, common on several points:

Note: many companies now attribute governance of the AI Act to the DPO, emphasizing the natural connection between the two regulations.

6. Conclusion: responsible AI at the heart of Europe

The relationship between the GDPR and the AI Act constitutes a solid foundation for building trusted AI, consistent with European values of respect for fundamental rights, transparency and ethics.

While these two regulations introduce high requirements, they also offer companies a competitive advantage, by making it possible to deploy reliable, responsible and user-friendly technologies.

For organizations, the challenge is clear: anticipate the implementation of the GDPR and the future AI Act in their AI projects today, by relying on data and cyber experts, and by strengthening their governance.