On Wednesday 19 November, the European Commission is due to present its ‘Digital Omnibus’, a simplification package covering the Artificial Intelligence Act (AI Act), the General Data Protection Regulation (GDPR) and the Data Act. Agence Europe was able to obtain a working version of the project, subject to modification. Dated 31 October, it confirms Europe’s willingness to clarify the obligations of legislative texts, as well as their articulation and actual application.
Simplification of the AI Act. The Artificial Intelligence Act alone is part of the simplification package. The majority of the changes made by the Commission do not directly affect the scope of the text, but make adjustments aimed at centralising the application of the text and strengthening the governance structure and supervisory powers of the AI Office.
In the text, the Commission proposes to entrust the AI Office with the supervision and monitoring of all general-purpose artificial intelligence (GPAI) models, provided they come from the same supplier.
“The AI Office shall have all the powers of a market surveillance authority (...) and [is] empowered to take the appropriate measures and decisions to adequately exercise its powers”, it says in detail.
This prerogative would also be extended to “online AI systems considered to present a ‘systemic risk’ within the meaning of the Digital Services Act or integrated into such services”, which would also have to be supervised by the Commission.
The Bureau could also be given the power to impose fines and administrative penalties by means of a Commission delegated act.
On the issue of the use of personal data, a sensitive point that requires a legal basis, the Commission envisages that, “to the extent that it is necessary for the purpose of ensuring bias detection and correction in relation to the high-risk AI systems (...), the providers and deployers of such systems may exceptionally process special categories of personal data, subject to appropriate safeguards for the fundamental rights freedoms of natural persons”, referring to the obligations listed by the GDPR and imposing specific safeguards.
To clarify certain issues relating to the relationship with other legislation, the Commission wants to include a paragraph specifying that the cyber security requirements of the AI Act for high-risk systems are deemed to have been met if they already “comply with the requirements of the Cybersecurity Act”.
The text also extends a number of regulatory privileges and exemptions on sanctions and compliance with technical reporting obligations, originally intended for SMEs, to ‘small midcaps’ (up to 750 employees and €150 million in annual sales).
To see the Omnibus on AI: https://aeur.eu/f/jbc
Several targeted amendments to the GDPR and the ‘Data Act’. The other part of the simplification package incorporates both the Data Protection Regulation and the Data Act, with adjustments that reflect an effort to simplify overlapping legislation.
With regard to the GDPR and the issue of the processing of personal data by AI, the text includes a paragraph in Article 4, which states that “appropriate organisational and technical measures must be implemented to avoid, as far as possible, the collection and processing of special categories of personal data”.
Where such data is nevertheless used for “training, testing or validation [...] or in the AI system or the AI model”, the controller must “delete the data”.
An Article 88c has also been added, relating to “processing in the context of the development and operation of AI”. The Court ruled that any such processing must be “subject to appropriate safeguards, in accordance with GDPR, for the rights and freedoms of the data subject”.
To see the omnibus on the GDPR and the Data Act: https://aeur.eu/f/jbd (Original version in French by Isalia Stieffatre)