Desafíos actuales de la Inteligencia Artificial

The interplay between AI act and GDPR 47 appropriate measures aimed at mitigating risks, exampling the GDPR’s proactive stance in data processing 83 The AI Act ensures the protection of fundamental rights through a technical way by banning AI systems with unacceptable risks, whereas the GDPR has a case-by-case basis approach in its evaluation of personal data processing, and the protection of personal data. 84 More precisely, the GDPR aims to balance collective and individual interests in personal data processing, while protecting data subjects’ rights by establishing provisions to be weighed on a case-by-case basis. 85 This balance is exemplified in the GDPR’s risk mitigation tools. 86 A case-by-case basis approach is particularly relevant in how organisations conduct DPIA for any data processing high risk to the rights and freedoms of individuals. However, the criteria and thresholds used to define high-risk AI systems under the AI Act may not align with those governing high-risk data processing under the GDPR, potentially resulting in divergent risk assessments and overlapping compliance obligations between the two regulations. 87 It is important to highlight that a DPIA conducted pursuant to Article 35 of the GDPR complements a FRIA conducted under Article 27 of the EU AI Act. Consequently, a deployer may be considered as having fulfilled some obligations of the EU AI Act if they have already been addressed in a DPIA conducted under the GDPR. However, any specific requirements for a FRIA that have not been addressed in the DPIA must still be complied with by the deployers. (3) Special Categories of Personal Data: Article 9 of the GDPR concerns to the processing of special categories of personal da- ta, 88 which can only be justified under specific circumstances such as explicit consent or le- gitimate purposes. “ However, there has been legal debate around the word “revealing”, which suggests 83 Winau, ‘Areas of Tension in the Application of AI and Data Protection Law’, 127. 84 Winau, ‘Areas of Tension in the Application of AI and Data Protection Law’, 127. 85 Winau, ‘Areas of Tension in the Application of AI and Data Protection Law’, 126. 86 Winau, ‘Areas of Tension in the Application of AI and Data Protection Law’, 127. 87 A. Schwanke, ‘The EU AI Act: Summary and Key Issues’ (September 2024). 88 Article 9(1):Processing of personal data revealing racial or ethnic origin, political opinions, religious or philo- sophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) .