1 38 Table of Contents 40 278

Desafíos actuales de la Inteligencia Artificial

The interplay between AI act and GDPR 39 AI typically involves the collection of vast amounts of data, particularly during the training phase, and many AI systems possess a broad potential range of applications, such as mimicking human-like intelligence, which makes the clear definition of “pro- cessing purposes” challenging. 22 Consequently, the issue arises regarding the quantity and type of data required to ensure successful training. 23 The connection to the purpose limitation within the data minimisation principle serves as an entry point for AI-specific considerations, which emphasize the system’s overall functionality rather than focusing solely on individual processing operations. 24 This aligns with the accuracy requirement under the AI Act(Article 15), which seeks to mitigate risks to the health, safety, and fun- damental rights of individuals. Furthermore, it supports the overarching aim of data protection law, specifically in safeguarding fundamental rights and freedoms, including the right to non-discrimination. Nonetheless, at the same time it poses a challenge to the objective of limiting the quantity and the intrusiveness of personal data to safeguard the right to data protection. 25 Legal requirements concerning the quantity and quality of training datasets necessary for successful training are outlined in Article 10 of the AI Act. If the processing is intended for training a high-risk AI system, the principles of adequacy, relevance, and necessity outlined in Article 5(1)(c) of the GDPR, which are purpose-related, must be construed and implemented in accordance with Articles 15 and 10 of the AI Act. 26 Therefore, the determination of the appropriate quantity and type of data that are adequate, relevant, and necessary for the training of a specific AI system must be evaluated based on the criteria of relevance, representativeness, error-free status, and completeness as stipulated in Article 10(3) of the AI Act, and to ensure accuracy as required by Article 15(1) of the AI Act. 27 As a result both Article 5(1)(c) of the GDPR and Article 10 and 15 of the AI Act must be construed and applied in concordance, if any tension arises a balance must be struck. 28 The AI Act risks establishing parallel enforcement structures alongside data protection authorities, potentially resulting in legal uncertainty. 29 Although the EDPB and the EDPS have emphasized that national data protection authorities should be tasked with enforcing 22 KETTAS, ‘Europe’. 23 M. WINAU, ‘Areas of Tension in the Application of AI and Data Protection Law’ (2023) 9 European Data Pro- tection Law Review 123–35 at 132. 24 M. WINAU, ‘Areas of Tension in the Application of AI and Data Protection Law’, 132. 25 Ibid. 26 Ibid. 27 Ibid. 28 Ibid. 29 P. HAJDUK, AI Act and GDPR: On the path towards overlap of the enforcement structures, October 2023, RAILS Blog, https://blog.ai-laws.org/

RkJQdWJsaXNoZXIy NTEwODM=