EU Data Protection Authorities Caution Against Cutting Corners as AI Act Is Streamlined

Key Takeaways

• Streamlining With Limits: Europe’s data protection authorities support simplifying how the AI Act is implemented, but warn that administrative efficiency must not weaken fundamental rights protections.
• Oversight Must Remain Central: Data protection authorities should retain a core supervisory role wherever personal data is processed, even as new AI governance bodies and sandboxes are introduced.
• Accountability Concerns Raised: Proposals to relax registration requirements for high-risk AI systems risk creating incentives for providers to avoid scrutiny and could undermine transparency.
• Sensitive Data Use Requires Restraint: Expanding the use of special-category data for bias detection should be tightly limited to serious risk scenarios and backed by strong safeguards.

Deep Dive

The European Data Protection Board and the European Data Protection Supervisor responded to the European Commission’s proposed “Digital Omnibus on AI,” a package designed to simplify aspects of the implementation of the AI Act. The goal, according to the Commission, is to make the rules easier to apply in practice. The message from Europe’s privacy watchdogs is that simplification is welcome but only up to a point.

The Joint Opinion acknowledges the growing complexity of the AI landscape and the real-world challenges organizations face as the AI Act moves from legislation to enforcement. Reducing unnecessary administrative burden, the authorities say, can support innovation and help smaller players navigate the new regime. But they warn that some of the proposed changes risk weakening safeguards designed to protect individuals affected by AI systems.

Innovation, Yes—but Not at the Expense of Oversight

EDPB Chair Anu Talus struck a conciliatory but firm tone, noting that innovation and efficiency can coexist with accountability. She welcomed EU-level regulatory sandboxes and simplified procedures as tools to support innovation, particularly for SMEs. At the same time, she stressed that data protection authorities must retain a central role wherever personal data is involved, and that close cooperation between DPAs, the AI Office, and market surveillance authorities is essential to provide legal certainty without eroding fundamental rights.

That balance between speed and safeguards also featured heavily in remarks from European Data Protection Supervisor Wojciech Wiewiórowski, who said simplification works best when it clarifies obligations, empowers individuals, and builds trust. He cautioned, however, that the role of the AI Office must be clearly defined and should not interfere with the independent supervision of EU institutions’ own use of AI systems.

Sensitive Data and Accountability Under the Spotlight

One of the more contentious elements of the proposal involves expanding the ability to process special categories of personal data, such as health or ethnicity, for bias detection and correction. While the EDPB and EDPS accept that addressing bias is a legitimate objective, they argue that such processing should be tightly circumscribed and limited to situations where the risk of serious adverse effects from bias is clearly established and appropriate safeguards are in place.

The two bodies are also openly critical of a proposal to drop registration requirements for certain AI systems that fall within high-risk categories, even if providers themselves assess the systems as “non-high risk.” In their view, removing this obligation would significantly weaken accountability and create incentives for providers to claim exemptions in order to avoid public scrutiny.

Sandboxes, Supervision, and Who’s in Charge

The Joint Opinion is more supportive when it comes to EU-level AI regulatory sandboxes, describing them as a useful way to encourage innovation. However, the EDPB and EDPS argue that legal certainty depends on the direct involvement of competent data protection authorities in supervising data processing within those sandboxes.

They also call for the EDPB to have an advisory role and observer status on the European Artificial Intelligence Board, and for clearer boundaries between the supervisory role of the AI Office and the independent oversight exercised by the EDPS over EU institutions.

On cooperation more broadly, the two authorities back efforts to streamline interaction between fundamental rights bodies and market surveillance authorities, including the use of a central point of contact. Still, they caution that efficiency gains must not dilute the independence or powers of data protection authorities.

Beyond institutional design, the Joint Opinion pushes to retain obligations on AI providers and deployers to ensure AI literacy among their staff. Any new duties placed on the Commission or Member States, the EDPB and EDPS argue, should complement, not replace, the responsibilities of organizations actually building and using AI systems.

Finally, the authorities voice concern about proposals to postpone core obligations for high-risk AI systems. Given how quickly AI technologies are evolving, they urge EU co-legislators to consider sticking to the original timelines for key requirements, such as transparency obligations, and to minimize delays wherever possible.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.