German Federal Data Protection Authority emphasises the importance of regulatory sandboxes

Following the publication of the AI Act in the official journal on 12 July, the German Federal Data Protection Authority (BfDI) commented on it on 16 July:

• highlighting the role of data protection authorities (DPAs) in supervising AI systems, especially where they process personal data or fall under the category of high-risk AI systems. The BfDI explains that the AI Act complements the GDPR and grants new tasks and powers to DPAs, such as additional rights to access documents, conduct technical investigations, and to inform the public about on serious incidents. The BfDI stressed the need for close cooperation and coordination among the DPAs and other supervisory authorities at national and EU level, as well as to involve the DPAs in the innovation of AI, in particular through AI regulatory sandboxes (Art. 59 AI Act); and
• pointing at some of the challenges and open questions that the AI Act poses for data protection and AI governance, such as the complex and sector-specific supervisory structures. It calls for more clarity and consistency in applying the AI Act and the GDPR, as well as having more safeguards and limitations for the use of biometric remote identification systems, which are considered high-risk AI systems under the AI Act. The BfDI emphasises its desire to further contribute to the development and implementation of the AI Act and to safeguard data protection in the context of AI.

Authors: Alexander Duisberg (Partner); David Plischka (Associate); Lisa Kopp (Associate)