Share This Article
A potential AI Act vs GDPR conflict might arise from the tension between the AI Actโs goal of addressing algorithmic bias and the GDPRโs strict privacy protections, making it difficult for companies to process sensitive personal data for that purpose while remaining compliant.
The AI Act explicitly allows companies to process sensitive personal dataโsuch as race or health dataโto detect and correct algorithmic bias in high-risk AI systems like hiring tools, credit scoring, or facial recognition. Yet, while the AI Act aims for flexibility, existing GDPR regulations introduce significant complexity, creating a challenging legal puzzle for businesses.
AI Act vs GDPR Potential Conflict: Where’s the Legal Clash?
1๏ธโฃ Legal Basis for Data Processing
Under GDPR Article 9, processing sensitive personal data is generally prohibited unless specific legal grounds are met:
- Explicit consent from the individual.
- Public interest as defined by EU or national law.
However, the AI Actโs Article 10(5) allows more flexibility by permitting the processing of sensitive data without explicit consent to prevent or correct algorithmic bias, provided strong safeguards are in place. This flexibility directly conflicts with GDPRโs more stringent conditions, intensifying the AI GDPR conflict.
2๏ธโฃ Necessity and Proportionality
- GDPR Perspective: Data processing is permissible only when absolutely necessary, and companies must rule out less invasive methods first.
- AI Act Perspective: Requires โstrict necessity,โ yet in practice, this may enable broader data use when addressing algorithmic bias. The ambiguity here risks clashing with GDPRโs stricter privacy standards, further deepening the AI GDPR conflict.
An Alternative View: Is There Really an AI GDPR Conflict?
Some experts argue that the perceived tension between the AI Act and GDPR may be exaggerated. They contend that GDPR Articles 6 and 9 are not in contradiction but rather work together: Article 6 defines the legal bases for processing all personal data, while Article 9(2) provides specific exemptions for processing sensitive data. This means that companies handling special categories of data for AI bias correction must satisfy both provisionsโensuring a legal basis under Article 6 and an exemption under Article 9(2)โalong with the AI Actโs Article 10(5) requirements.
From this perspective, the challenge is not a fundamental AI Act vs GDPR conflict but rather the complexity of compliance. The AI Act explicitly states in Recital 70 that bias mitigation may fall under GDPRโs โsubstantial public interestโ legal ground. Instead of conflicting with GDPR, the AI Act provides a structured approach to handling sensitive data in high-risk AI systems, albeit with a high compliance burden on companies.
The AI GDPR Conflict: A Real Legal Puzzle for Companies
Businesses striving for fair and unbiased AI systems now find themselves caught between two critical regulatory frameworks:
- Ensuring AI fairness by correcting algorithmic bias, potentially requiring broad processing of sensitive data.
- Adhering strictly to GDPR, which could restrict their ability to handle sensitive data without explicit individual consent.
Given the risks associated with inconsistent regulatory enforcement across the EU, companies urgently need clear guidelines or legal updates. Without clarity, differing interpretations may lead to uneven practicesโand potentially costly compliance issues, fueling further AI GDPR conflict.
The Path Forward: Resolving the AI GDPR Conflict
The AI Actโs intent is commendableโaddressing algorithmic bias is essential. However, its approach must be harmonized with GDPR to avoid legal uncertainty. Until policymakers provide explicit guidance on navigating these complexities, companies must carefully balance AI fairness objectives with strict data privacy compliance.
Ultimately, clear, consistent interpretation and application of these laws across the EU will be essential for unlocking AIโs full potential without compromising fundamental rights while minimizing the AI GDPR conflict. This scenario is only one of the legal areas where companies are likely to face challenges in dealing with the provisions of the AI Act. Hopefully, authorities will provide clarifications.
You can find more articles on the EU AI Act HERE.
