Desafíos actuales de la Inteligencia Artificial

62 Desafíos actuales de la Inteligencia Artificial detect and correct bias in their datasets, if strictly necessary. 30 However, their use is subject to strict conditions. Despite being an exception to the prohibition of sensitive data processing, this possibility should be welcomed to guarantee that AI systems are trained and tested on unbiased datasets, maximising the respect of fundamental rights when deployed. Second, the AI Act extends the competence of national data protection authorities. As anticipated above, the AI Act puts in place a system of post-market monitoring. Under this system, national market surveillance authorities are tasked with controlling compliance with the AI Act, 31 except for general purpose AI models for which the regulation grants exclusive compe- tence to the European Commission, 32 whose newly established AI Office will enforce rules and monitor compliance. Of course, Member States already have market surveillance authorities to monitor compliance with product safety rules. But the Act specifies that, for high-risk AI systems used in law enforcement, border control management, and the administration of justice and democratic processes – including the use of biometrics in these three areas –, Member States need to designate their supervisory authorities under either the GDPR or the Law Enforcement Directive 33 for market surveillance and control. 34 In France, the CNIL will thus have extended competences under the AI Act. This might create additional bottlenecks for national data pro- tection authorities which already suffer from a lack of resources. 35 4. REGULATING AI THROUGH DATA PROTECTION ENFORCEMENT IN FRANCE Given the decentralised nature of the enforcement system under the GDPR, each Mem- ber States has designated a supervisory authority to enforce it. France designated the Com- mission nationale de l’informatique et des libertés (CNIL), which was established in 1978 as an inde- pendent administrative body to act as the country’s data protection authority. 36 30 Article 10(5) AI Act. 31 See Chapter III, Section 4; and Article 70 AI Act. 32 See Chapter V AI Act. 33 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L 119, 4.5.2016, p. 89-131. 34 Article 74(8) AI Act. 35 EU AGENCY FOR FUNDAMENTAL RIGHTS, “Lack of resources undermine EU data protection enforce- ment”, 11 June 2024, https://fra.europa.eu/en/news/2024/lack-resources-undermine-eu-data-protection-en- forcement. 36 Under the GDPR, it can now impose fines of up to €20 million or, for companies, up to 4% of their total world- wide annual turnover, whichever is higher (Article 83 GDPR).