EDPB Strengthens AI Oversight & Data Protection Measures

The European Data Protection Board (EDPB) has taken several actions during its latest plenary session held on July 17, 2024, in Brussels. The EDPB adopted a statement recommending that Data Protection Authorities (DPAs) play a crucial role in enforcing the AI Act. The Board suggests that DPAs should be designated as Market Surveillance Authorities (MSAs) for high-risk AI systems, particularly in sectors such as law enforcement, border management, and democratic processes. This recommendation aims to leverage DPAs' expertise in assessing AI's impact on fundamental rights, especially data protection.

On July 12, 2024, the AI Act, officially known as Regulation (EU) 2024/1689, was published in the Official Journal. The AI Act aims to harmonize rules on the placement on the market, putting into service, and use of AI within the EU. It is designed to support innovation while ensuring health, safety, and the protection of fundamental rights, including the rights to privacy and personal data protection as enshrined in the Charter of Fundamental Rights of the European Union (Articles 7 and 8). The regulation aligns with the New Legislative Framework and requires market surveillance to ensure compliance, aligning with Regulation (EU) 2019/1020 on market surveillance and compliance of products.

A central aspect of the AI Act is its requirement for coherence with existing EU data protection laws, including the General Data Protection Regulation (GDPR), the EU Data Protection Regulation (EUDPR), and the Law Enforcement Directive (LED). The EDPB emphasizes that these regulations should be seen as complementary and mutually reinforcing, aiming to provide comprehensive protection for individuals' rights, particularly in relation to personal data processing involved in AI systems.

DPAs are well-positioned to assume the role of MSAs due to their established experience and independence in dealing with data protection issues. The EDPB argues that DPAs' expertise in areas such as data computing, data security, and risk assessment of new technologies makes them particularly suited for overseeing high-risk AI systems. This includes AI systems used in critical areas such as law enforcement, border management, and democratic processes. The EDPB highlights that DPAs have already been actively involved in AI-related developments through guidelines, best practices, impact assessments, and enforcement actions.

In its statement, the EDPB underscores the importance of a coordinated and effective enforcement framework. This framework must ensure sound cooperation between MSAs, DPAs, and other relevant regulatory bodies to maintain a unified approach to AI oversight. The AI Act requires a close relationship between data protection impact assessments and fundamental rights impact assessments, further integrating these crucial elements of AI governance.

The EDPB also addressed international data transfers by adopting two FAQ documents on the EU-U.S. Data Privacy Framework (DPF). These documents aim to clarify the DPF's functioning for both individuals and businesses, covering topics such as complaint procedures and eligibility criteria for U.S. companies. Additionally, the EDPB approved the EuroPriSe Criteria Catalogue for certifying processing activities by data processors, establishing a European Data Protection Seal applicable across the EU/EEA. This certification marks a significant step in GDPR compliance efforts, providing a clear standard for data protection across the region.

Looking ahead, the EDPB's actions reflect a comprehensive approach to data protection and AI regulation, balancing technological advancement with the protection of individual rights. As the August 2, 2025, deadline for Member States to appoint national-level MSAs approaches, these developments are likely to shape the future of AI governance and IT security and privacy in the EU. The decisions made during this plenary session underscore the EU's commitment to maintaining a robust regulatory framework for emerging technologies while safeguarding personal data and fundamental rights.

Furthermore, the EDPB stresses the need for adequate additional human and financial resources to be allocated to DPAs to handle the new tasks and powers related to AI system supervision. The designation of DPAs as MSAs would streamline interactions between regulatory bodies concerned with both the AI Act and EU data protection law, providing a single contact point for stakeholders in the AI value chain.

The EDPB also calls for closer cooperation between the newly established EU AI Office and national DPAs. The AI Office, created by the European Commission, is expected to play a pivotal role in the supervision of general-purpose AI models, which often involve the processing of personal data and impact individuals' privacy and data protection rights. Clear procedures for cooperation between the AI Office and DPAs are essential to ensure a consistent and effective regulatory approach.

The EDPB's recent actions and recommendations highlight the critical role of DPAs in the evolving landscape of AI regulation and data protection. By leveraging their expertise and ensuring close coordination with other regulatory bodies, the EU aims to create a comprehensive and robust framework that promotes innovation while protecting fundamental rights and personal data.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.