Desafíos actuales de la Inteligencia Artificial

36 Desafíos actuales de la Inteligencia Artificial 1. INTRODUCTION Although the GDPR and the EU AI Act appear to be similar legal instruments, as both include regimes of accountability, governance, and oversight, they serve different purposes. 1 The EU’s data protection law is predominantly defined by the GDPR. The current framework of the GDPR is based on the 1995 Data Protection Directive, the right to data protection in Article 8 of the Charter of Fundamental Rights (CFR), the right to privacy in Article 7 of the CFR, and the primary legal basis in Article 16 TFEU. The EU AI Act is predominantly a product safety law aimed at ensuring the safe technical development and deployment of AI systems; and apart from a few exceptions, it does not confer any rights to individuals. 2 It adopts a horizontal approach, unlike other product safety legislations, as it is not specific to any particular sector but is instead dedicated to the use of AI systems. 3 The EU AI Act is based on a risk-oriented approach, categorizing AI systems into four levels of risk: unacceptable, high, limited, and minimal/no-risk. AI systems posing an “unacceptable risk” will be prohibited, while “high-risk” AI systems will be subject to stringent obligations before they can be introduced to the EU market. 4 Unlike the GDPR, the EU AI Act implements a comprehensive risk categorization and imposes distinct obligations based on these categories. Most requirements under the EU AI Act are applicable solely to high-risk AI systems (as outlined in Article 6 and Annex III of the EU AI Act). Specific obligations also apply to various AI systems, such as general-purpose AI models, along with transparency requirements for systems like emotional categorization systems. 5 Most of the provisions of the AI Act focus on high-risk systems, outlining obligations for providers, users, and other participants throughout the AI value chain, and establishing conformity assessment procedures to be followed for high-risk AI systems. 6 In contrast, the GDPR is a fundamental rights legislation that grants individuals extensive rights regarding the processing of their personal data. The GDPR’s subject matter and scope encompass the processing of personal data with the aim of safeguarding the fundamental rights and freedoms of individuals, as outlined in Article 1 of the GDPR. 7 The definition of ‘processing’ personal 1 CEDPO AI Working Group, AI and Personal Data A Guide for DPOs “Frequently Asked Questions” (2023) p. 10. 2 M. VEALE and F. Z. BORGESIUS, ‘Demystifying the Draft EU Artificial Intelligence Act — Analysing the good, the bad, and the unclear elements of the proposed approach’ (2021) 22 Computer Law Review International 97–112 at 97. 3 M. EBERS, ‘Standardizing AI - The Case of the European Commission’s Proposal for an Artificial Intelligence Act’ (2021) p. 13. 4 ‘Ethics guidelines for trustworthy AI | Shaping Europe’s digital future’ (April 2019). 5 J. CLARK, M. DEMICRAN, K. KETTAS, ‘Europe: The EU AI Act’s relationship with data protection law: key takeaways’ (April 2024). 6 M. EBERS, ‘Standardizing AI - The Case of the European Commission’s Proposal for an Artificial Intelligence Act’, p. 1. 7 Article 1 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) (2016).