On March 12, 2020, the Centre for Information Policy Leadership (“CIPL”), in collaboration with Hunton Andrews Kurth LLP, published its legal note, “Artificial Intelligence and Data Protection: How the GDPR Regulates AI.”

This note explores the various ways in which the EU General Data Protection Regulation (“GDPR”) currently regulates the development and use of artificial intelligence (“AI”) by organizations processing personal data. The paper examines:

  • The applicability of the GDPR generally to AI, for example, through the data protection principles, the obligations it places on organizations and the oversight of data protection authorities;
  • The GDPR provisions that are of particular relevance in the context of AI use, such as the requirement to carry out a data protection impact assessment where “new technologies” are used; and
  • The GDPR provisions that specifically regulate the use of AI, i.e., the provisions that relate to automated decision-making.

This legal note is the first deliverable of CIPL’s Special Project on Drafting an EU Approach to AI and Leveraging GDPR, Accountability and Industry Best Practices, which aims to facilitate expert dialogue and engagement between EU policy makers and industry leaders in AI use and development. It follows the release by the European Commission of a White Paper entitled “a European Approach to Excellence and Trust” on AI, pursuant to Commission President Ursula von der Leyen’s call in November 2019, to propose rules to regulate AI within the first 100 days of her Presidency (which commenced on December 1, 2019).

Read the report on Artificial Intelligence and Data Protection: How the GDPR Regulates AI.