The European Union has long been a leader in data protection regulation with the General Data Protection Regulation (GDPR). Now it's well on its way to doing the same in the AI space with the AI Act, which is steadily making its way through the EU legislative process. Today we’ll discuss the Data Act, which will regulate many AI uses due to the centrality of training data to many AI products and services.
Although the EU aims to regulate AI primarily with the EU AI Act, AI systems will still be required to comply with the requirements of all other EU regulations on data, given that the data are the core driver of modern AI. This is aligned with the overarching strategy of pending regulations from the EU which can be found in more detail in the European Data Strategy.
In this blog post, we’ll highlight why you should care about of the EU Data Act, covering the key obligations, what these obligations imply, and how you can get started with preparedness.
Key takeaways:
The huge range of connected devices (including Internet of Things devices) all around us have the potential to mishandle data within the EU. The Data Act is poised to be a part of the EU's cornerstone legislation surrounding data. In particular, it covers requirements related to the following:
The Act specifies two categories related to the above data generation and handling: “connected products” and “related services”.
The aim of the Data Act is to enable users of connected products and related services to access the data they created using these products and services. Additionally, the act weighs in on how data may or may not be transferred to third parties after it is generated. Broadly speaking, the Act balances concerns about users’ ability to control their data while encouraging innovative data products and uses.
It’s noteworthy that the Data Act applies to both personal and non-personal data. However, the Data Act does not provide a general lawful basis to process personal data related to connected products or related services. Essentially, the Data Act is a balancing legislation between the data sovereignty of the users on the data they created and the idea of generating value through transferring as well as using these data silos. When these silos contain personal data, the GDPR and the Data Act shall simultaneously apply.
As a general design-related obligation, the Data Act requires connected products and related services must be designed in a manner that would enable the user to access the product and service data, including the relevant metadata, "easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format" by default.
The Data Act tries to maintain a balance between the data holder’s obligations and the users’ rights. It does so through a series of design requirements made of entities that hold user data, as well as obligations on what must be communicated to users about their data. We’ll outline both below.
Under the Data Act, a data holder is defined as
"a natural or legal person that has the right of obligation, in accordance with this Regulation, applicable Union law or national legislation adopted in accordance with Union law, to use and make available data, including, where contractually agreed, product data or related service data which it has retrieved or generated during the provision of a related service."
In other words, data holders are entities who are effectively in a position to exert control over the product or service data.
The Data Act imposes certain obligations on data holders, some of which are practical extensions to the general design requirement enabling data accessibility for the users of connected products and related services. The key obligations include:
Granting these rights to access data in specific ways, however, is just half the battle, and not sufficient for the realization of the purpose of the Data Act if the users are not made aware of their rights. To address that, the framework is complemented by a set of requirements on what needs to be disclosed to the user. This includes the volume of the data to be generated by a connected device and the identity of the parties involved in data processing.
The Data Act requires the seller or renter of a connected product or related service, regardless of whether these are the manufacturers or providers, to disclose the following properties about the data generation, storage, and transfer practices of the product or service in question.
The Data Act does not contain specific provisions for AI systems. Nevertheless, it affects AI systems deployed in connection with or as part of a connected product or related service, such as smartwatches processing user data to train AI models to provide more functionalities or AI-powered virtual assistants. Given the increasing number of AI applications being built in or deployed in connection to such products or services, its effect on the AI product and service landscape will be significant.
An important question here is how the data governance requirements provided under the EU AI Act interact with the Data Act. Article 10 of the EU AI Act's latest consolidated draft governs the data governance requirements for the datasets used in high-risk AI systems. These requirements do not have direct equivalents under the EU AI Act. However, there may be some overlapping issues depending on the system in question.
First, due to the need for enormous datasets for powerful AI systems, the deployment of an AI system in a connected product or related service will almost always render compliance with the data act more challenging.
Second, the scope, aim, and purpose of the Data Act and the EU AI Act are different. Compliance with the requirements provided in one of these regulations will not automatically provide compliance with the other as well. However, due to the overlap between some concepts, requirements from these two texts may affect each other. For example, both texts refer to measures to prevent unauthorized access. Article 15 of the EU AI Act requires high-risk AI systems to be resilient against attempts by unauthorized third parties. Article 11 of the Data Act, on the other hand, states that the data holder may implement appropriate technical measures to prevent unauthorized access to data. Any measure to prevent unauthorized access to data under the Data Act may also be classified as a measure aimed at complying with the cybersecurity requirement under the EU AI Act.
Thirdly, there may be some seemingly conflicting points as well. For instance, the EU AI Act makes references to competent authorities accessing datasets on different occasions, whereas the Data Act allows such access or use only in relation to emergencies. In practice, however, there is no direct conflict, and the simultaneous and harmonious application of these provisions must be determined, taking the specific circumstances of a given AI system and data processing into account.
The Data Act is one of the recent pieces of legislation in the EU's increasingly complex network of legislation on data governance, and it affects AI systems deployed on connected products and related services. The proper assessment of risks and the determination of appropriate actions may only be done with a holistic approach, using technical as well as regulatory tools simultaneously.
As compliance cannot happen overnight, getting started before requirements set in is the best way to maximize alignment with emerging and existing laws. Make sure you are equipped to navigate the data governance requirements under the Data Act as well as the EU AI Act with Holistic AI and deploy appropriate risk assessment, mitigation, and prevention tools in place.
Schedule a call with our experts to find out how Holistic AI can help you with our visionary AI Governance, Risk Management, and Compliance Platform, as well as our suite of AI audit solutions.
DISCLAIMER: This blog article is for informational purposes only. This blog article is not intended to, and does not, provide legal advice or a legal opinion. It is not a do-it-yourself guide to resolving legal issues or handling litigation. This blog article is not a substitute for experienced legal counsel and does not provide legal advice regarding any situation or employer.
Schedule a call with one of our experts