With the rapid development of artificial intelligence, companies in the European Union are facing a complex regulatory landscape that is largely shaped by two pillars: the General Data Protection Regulation (GDPR) and the new Artificial Intelligence Regulation (AI Act). While the GDPR has been regulating the handling of personal data for years and has established itself as the standard for data protection, the AI Act is now the first comprehensive regulation specifically for AI systems. At first glance, both sets of regulations appear to pursue similar goals, such as protecting fundamental rights and building trust in new technologies. But how do these two comprehensive laws relate to each other? This question becomes particularly relevant when AI systems are trained or operate on the basis of personal data. Personal data is often the “fuel” of AI systems. This dual regulation raises crucial questions: Is compliance with one regulation sufficient, or are new, overlapping obligations emerging that could lead to costly pitfalls? If companies want to rely on the use of AI, they should first clarify the differences and similarities between the GDPR and the AI Act.
Scope of the GDPR and the AI Act
The GDPR focuses on the processing of personal data. Personal data is any information relating to an identified or identifiable natural person (Art. 4 No. 1 GDPR). Processing therefore includes virtually any handling of personal data, from reading and storing to transferring and deleting. The GDPR is designed to be technology-neutral, which means that its provisions apply regardless of the technology used, as long as personal data is processed. In contrast, the AI Act primarily regulates AI systems and AI models themselves. An AI system is defined as a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments;(Art. 3 No. 1 AI Act). The AI Act does not directly define what an AI model is. However, Recital 97 of the Regulation states that AI models are central components of an AI system, which become an AI system through additional components such as a user interface. In simple terms, the AI model is the neural network and thus the core of the AI system.
Differences and Similarities
The main objective of the GDPR is to protect the fundamental rights of natural persons against risks that may arise from data processing. The GDPR requires data controllers to take both technical and organizational measures to address the risks to data subjects (Articles 25 and 32 GDPR). Personal data may only be processed in accordance with the principles laid down in the GDPR. The controller is accountable to the data subjects in this regard (Art. 5(2) GDPR). The lawfulness of processing must be assessed in each individual case. In the case of the use of new technologies, which undoubtedly includes AI, a well-documented data protection impact assessment must also be considered (Art. 35 GDPR). The AI Act aims to ensure that AI is trustworthy and secure and is developed and used in accordance with fundamental rights. The AI Act is primarily product safety law that establishes uniform rules for the placing on the market, putting into service, and use of AI systems and AI models within the EU. In its implementation, the AI Act focuses primarily on classifying AI systems and AI models into specific risk categories, which are subject to different legal frameworks. The AI Act defines risk as the combination of the probability of damage occurring and the severity of that damage (Art. 3 No. 2 AI Act). The AI Act calculates the risks posed by AI by laying down specific rules for AI technologies and their application. Although the focus of the GDPR and the AI Act is different, they are closely linked in areas where AI systems process personal data. Both laws aim to minimize risk. The AI Act complements the GDPR by addressing specific risks posed by AI technologies. Although compliance with the AI Act can also help to meet the requirements of the GDPR, AI Act compliance alone is generally not sufficient for this purpose.
Attorney Anton Schröder
subscribe to Newsletter-
Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW. -
Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm. -
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.
