Desafíos actuales de la Inteligencia Artificial

42 Desafíos actuales de la Inteligencia Artificial Article 2(7) of the AI Act states that the regulation does not affect EU Data Protection Law. 43 Hence, AI systems based on personal data are required to comply with both the AI Act and GDPR. Moreover, the AI Act does not include any explicit requirements for AI systems to comply with GDPR provisions to be placed on the EU market, despite recommendations from both the EDPS and the EDPB that co-legislators to include such a requirement in the AI Act. Specifically, both authorities advised the certification of high-risk AI systems should explicitly verify compli- ance with the GDPR. 44 Conversely, Recital 63 of the AI Act states that “ an AI system is classified as a high-risk AI system should not be interpreted as indicating that the use of the system is lawful under other acts of Union law or under national law compatible with Union law, such as on the protection of personal data, on the use of polygraphs and similar tools or other systems to detect the emotional state of natural persons .” It continues to clarify that “ the AI Act should not be understood as providing for the legal ground for processing of personal data, including special categories of personal data, where relevant, unless it is specifically provided for otherwise in the AI Act. ” 45 Since the AI Act and the GDPR apply simultaneously, both the EDPB and the EDPS stressed that it is vital to clearly avoid any inconsistencies and possible conflicts with the GDPR in the AI Act. 46 Veritably, certain concepts and provisions of the AI Act overlap with EU data protection law, which may result in legal ambiguities and varying interpretations. Within a practical context, the AI Act provides a double layered protection, the first phase covers the development or production of AI systems, and the second phase pertains to their utilization. 47 When a high-risk AI system is developed, the obligations arising from Chapter III, particularly Article 16, apply. If personal data is processed within this high-risk AI system, the GDPR will also apply to the provider as the controller. 48 Non-personal data can turn into personal data throughout its lifecycle if additional infor- mation that can be used to identify a person becomes available. 49 Moreover, for the learning 43 According to Art 2(7) of the AI Act, data processing for the purpose of ensuring bias detection in high-risk AI systems in its Article 10(5) and data processing in AI regulatory sandboxes in its Article 59 are explicitly excluded. 44 ‘EDPB-EDPS Joint Opinion 5/2021 on the proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) | European Data Protection Board’ para 23; ‘EDPS Opinion 44/2023 on the Proposal for Artificial Intelligence Act in the light of legislative developments | European Data Protection Supervisor’ (September 2024) para 27. 45 Recital 63, European Parliament legislative resolution of 13 March 2024 on the proposal for a regulation of the European Par- liament and of the Council on laying down harmonised rules on Artificial Intelligence (Artificial Intelligence Act) and amending cer- tain Union Legislative Acts (COM(2021)0206 – C9-0146/2021 – 2021/0106(COD))(Ordinary legislative procedure: first reading).References to articles and recitals introduced or changed by the Parliament will be labelled in this paper as “the EU AI Act” . 46 para 57 ‘EDPB-EDPS Joint Opinion 5/2021 on the proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) | European Data Protection Board’. 47 M. JACOBS and J. SIMON, ‘Assigning Obligations in AI Regulation: A Discussion of Two Frameworks Pro- posed By the European Commission’ (2022) 1 Digital Society 6. 48 M. WINAU, ‘Areas of Tension in the Application of AI and Data Protection Law’, 125. 49 Ibid.