Desafíos actuales de la Inteligencia Artificial

56 Desafíos actuales de la Inteligencia Artificial ly, the CJEU prioritized the fundamental right to privacy over the economic interests of the operator of an AI-powered search engine and the general public’s interest in having access to personal information, subject to safeguards when the relevant person plays a role in public life. The judgment also highlighted the CJEU’s role as a prominent guardian of individuals’ privacy in Europe and the right it established was codified in the GDPR a few years later. This case shows that important legal questions around AI have been in the open for some time now and did not appear only in the advent of the GDPR or – a fortiori – the AI Act. 8 Since Google Spain , the CJEU has continued to adjudicate important questions related to AI systems based on data protection law. 9 As these pre-GDPR cases show, data protection requirements related to AI systems have thus preceded the recent adoption of the AI Act, the Digital Services Act (DSA), 10 or the Dig- ital Markets Act (DMA), 11 which have established new rules and standards in this space. At any rate, the tension between the fundamental right to privacy and the commercial interests of large companies using AI systems is very much alive today, six years after the GDPR has started to apply. Although early GDPR enforcement has been slow, it is now increasingly biting. Figure 1 below shows the highest fines issued under the GDPR as of August 2024. All of these fines were imposed on companies heavily relying on huge quantities of personal data for their AI systems driving personalised advertising, as well as content and product recommendations, among other things. Overall, the effectiveness of those fines and accompanying injunctions to deter tech firms from engaging in GDPR infringements can be discussed. But their general 8 Indeed, the plaintiff in the Google Spain case had complained to the Spanish data protection authority in 2010, almost 15 years ago and six years before the adoption of the GDPR. 9 For example, still with regards to Google’s search engine, the CJEU has also established in 2019 a “right to be accurately remembered” (EUROPEAN COMMISSION: LEGAL SERVICE, 70 years of EU law: a Union for its citizens, Luxembourg: Publications Office of the European Union, 2022, https://data.europa.eu/ doi/10.2880/02622, p. 119), based on the GDPR read in light of the Charter of Fundamental Rights of the EU (judgment of 24 September 2019, GC and Others v CNIL, C-136/17, ECLI:EU:C:2019:773). Going further than pure de-referencing, this right can compel search engines to modify the ranking of their searches, directly affecting their search algorithms. In 2019 still, the CJEU delimited the territorial scope of the right to be de-refe- renced from a search engine’s results (judgment of 24 September 2019, Google v CNIL, C-507/17, ECLI:EU- :C:2019:772). The case originated in France, where the CNIL had imposed a fine of €100,000 on Google for refusing to de-reference results involving personal data to all worldwide versions of its search engine. The CJEU found that when a search engine like Google grants a request for de-referencing, it is in principle required to carry out the de-referencing with regards only to versions available in the EU, not elsewhere. The French Conseil d’Etat, which had referred the question to the CJEU, finally annulled the CNIL’s fine to Google in 2020 (Conseil d’Etat, décision n°399922 du 27 mars 2020, ECLI:FR:CECHR:2020:399922.20200327). 10 Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act), OJ L 277, 27.10.2022, p. 1-102. 11 Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on con- testable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act), OJ L 265, 12.10.2022, p. 1-66.