RGPD vs IA: The challenges of protecting personal data in the implementation of AIS

At a time when the first provisions of the artificial intelligence regulation are coming into force, the compliance of AI systems is becoming an essential issue.‍

‍

Artificial intelligence (AI) is defined by Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 as follows: ” A system designed to work with elements of autonomy and capable, for a given set of human-defined goals, of generating results such as content, predictions, recommendations, or decisions that influence the environments with which it interacts.” The regulation distinguishes between artificial intelligence systems (AIS) and general-purpose AI models.

‍

AIS are AI applications designed for specific tasks or areas, such as medical diagnostic support systems. In contrast, general-purpose AI models are versatile systems, capable of being used in a variety of contexts and for a variety of applications. For example, a natural language processing model can be adapted to perform machine translation.

‍

Artificial intelligence raises complex issues, especially in the area of personal data protection. Indeed, artificial intelligence systems operate using a large or even massive quantity of data, justifying the establishment of a rigorous framework governing their use and processing, while ensuring respect for the fundamental rights of individuals, including respect for privacy.

‍

The challenges are multiple : how to ensure that algorithms do not compromise the privacy of individuals? How can we ensure that the data analysis carried out by AI systems remains ethical and in accordance with the principles of transparency, fairness and accountability?

‍

To face these challenges, which are not the same in the design phase and in the deployment phase, data protection authorities, such as the CNIL in France and the EDPS at the European level, must constantly reassess and adjust their doctrines to inform actors in the field on the compliance procedures to be carried out by integrating technological developments. Here we provide an overview of recent developments in this doctrinal and/or regulatory framework relating to AI and the RGPD.

For many years, the European Council has been calling on Member States to strengthen the implementation of their digital health strategies. In this context, on 3 May 2022, the European Commission presented a proposal for a regulation to establish the European Health Data Area (EHDS).

‍

The draft regulation was adopted by the Member States on 22 March 2024 and then by the European Parliament on 24 April 2024. The publication of the text in the Official Journal is expected in autumn 2024, and its entry into force varies depending on the provisions concerned (between 2 years and 10 years).

For several years, the European Union has sought to oversee the development of artificial intelligence in order to reconcile innovation and the protection of fundamental rights. In this context, Regulation EU 2024/1689 (AI Act) was adopted by the European Parliament and the Council on 13 June 2024, prior to its publication in the Official Journal of the European Union on 12 July 2024.

‍

This text establishes regulations based on a risk-based approach, prohibiting certain practices and imposing strict requirements, especially for high-risk AI systems. The application of this regulation is particularly significant in the field of health, where AI promises major advances while requiring compliance with numerous European laws, such as the RGPD and the MDR regulation.

Through this article, we want to share with you several feedback that can help you prevent the emergence of disputes and, therefore, to secure your commercial relationships.

‍

We will not mention relationships between traders, governed by the Commercial Code. We will focus on a particular, although relatively common, situation, namely commercial relationships between a software publisher and a professional customer.