Friction between GDPR and AI law: obstacles revealed

The EU is the first global player to adopt a legislative framework for artificial intelligence (AI).  

The European Parliament’s Internal Market Committee and Civil Liberties Committee set out their positions on May 11, 2023, ahead of negotiations with member states and the European Commission.  

In this blog, we will discuss the interplay between this AI act and the GDPR and its likely impact on data protection regulations. 

We will also briefly discuss how the AI act will affect the role of the DPO.  


  1. What is AI ?

    ‘Artificial intelligence’ (AI) is defined as “a technical or machine-based system that can generate, for a given set of objectives, an output such as, for example, content, predictions, recommendations or decisions affecting real or virtual environments. AI systems are therefore designed to operate with different levels of autonomy.”

2. What is the AI law?

The AI Law is an initiative by Europe to regulate AI. This would be the world’s first concrete law on AI. The AI Act classifies applications of AI at four levels of risk, namely: unacceptable risk, high risk, limited risk and minimal or no risk.

3. Prohibited: Applications with unacceptable risks.

This group includes:

  • AI systems create or expand facial recognition databases through untargeted scraping.
  • AI systems inferring emotions in law enforcement, border management, workplace and education.
  • AI systems that use subliminal techniques or manipulative or deceptive techniques to distort behavior.
  • AI systems that exploit the vulnerabilities of individuals or specific groups.
  • Biometric categorization systems based on sensitive attributes or characteristics.
  • AI systems used for social scoring or evaluating reliability.
  • AI systems used for risk assessments that predict criminal or administrative offenses.

4. Why it is important for AI to be regulated in this way

The main reason is that AI can affect many parts of our lives today, but certainly more so in the future. Some of these include:

    • influencing what information we see online by predicting what content appeals to us;
    • capture and analyze data from faces to enforce laws or personalize ads;
    • Diagnosing and treating cancer.

5. What question should we ask ourselves?

The question to ask now is whether the AI law is anticipated for this variety of applications? And above all, whether AI will not be too fiercely restricted by the emergence of this law.

There are several loopholes and exceptions in the proposed law. These shortcomings limit the law’s ability to ensure that AI remains a positive factor in our lives.

Currently, for example, facial recognition by police is prohibited unless the images are delayed or the technology is used to locate missing children.

What we can already worry about, though, is whether the AI act will adequately protect our data and how it interacts with GDPR provisions. This is where we will delve deeper.

6. The relationship between AI regulations and GDPR

Like the GDPR in 2018, the EU’s AI law could become a global standard, determining the extent to which AI has a positive rather than a negative impact on our lives.

One of the two bases used by the European Commission to justify the AI law is Article 16 of the TFEU, which mandates the EU to adopt rules on the protection and processing of personal data of natural persons.

The AI Act and GDPR are both based on Article 16 TFEU, which means they complement each other when it comes to protecting data subjects.

The rules of the AI Act supplement in certain respects the protections already provided by the GDPR.

In fact, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have suggested that AI systems must meet GDPR compliance in order to obtain the required CE mark.

These coherent regulations contribute to a solid data protection framework in the context of AI applications.


Under the GDPR, the “controller” is primarily responsible for processing personal data. When implementing AI systems, the “users” of the AI Act in the rollout phase are more likely to be considered “data controllers” under the GDPR. This means that, even with limited duties under the law, they remain liable for the use and consequences of personal data related to AI systems.

AI system providers will qualify as “processors” under the GDPR, processing personal data on behalf of AI users and following their instructions, particularly if they provide support or maintenance services for AI systems.

8. What will be the providers of AI systems?

Under the GDPR, providers of AI systems usually become “processors. However, at the development stage and for compliance purposes, they may be considered “data controllers” depending on the processing of personal data under the AI Act.

9. What references does the AI law contain to be GDPR-compliant?

The AI Act contains some references to GDPR compliance, such as requiring users to use information from HRAIS use instructions for data protection impact assessments (DPIAs).

Providers of AI systems have a strict transparency obligation to customers/users, with user instructions and technical documentation specifying details. Although the AI Act regulates certain obligations, users/controllers can demand broader compliance and transparency under the GDPR, even for AI systems that do not qualify as HRAIS.


Importance of the DPO

We were able to see in point 2 that AI systems can be powered by personal data.

Also, the AI act is built around a risk-based approach and risk management.

This is also the way the GDPR is structured. So the DPO already knows what it is to conduct a data protection impact assessment(DPIA) and risk analysis.

Also, the DPO knows how to set up a program, create policies, conduct an audit and train teams.” The DPO will therefore be the ideal person to support (AI) companies in complying with GDPR provisions and the AI Act.

What are the next steps of the AI act?

The European Parliament will hold a plenary vote mid-June 2023, then negotiations will begin between the European Council, the European, Parliament and the European Commission to agree on a final text, which is expected to continue from June through December 2023.

From the moment the final AI Act comes into force, it officially becomes applicable 24 months after that. It is currently expected to be in the first half of 2026.

Contact an accredited DPO for all your questions regarding AI.


Meer berichten

de toekomst van GDPR

The Future of Data Protection

Introduction: Since its implementation in 2018, the General Data Protection Regulation (GDPR) has had a significant impact on how organizations worldwide collect,

Meer info: