International Trade Today is a Warren News publication.
Comm Daily Q&A

AI Will Drive GDPR Changes: European Data Protection Supervisor

EU privacy law will change to address the challenges of AI and other technologies, European Data Protection Supervisor (EDPS) Wojciech Wiewiorowski told Communications Daily in a wide-ranging interview. He is urging governments not to wait for global privacy solutions to emerge before regulating AI but to use existing tools.

Sign up for a free preview to unlock the rest of this article

If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.

The European Parliament and Council appointed Wiewiorowski in 2019 to a five-year term to head the Office of the EDPS, the privacy watchdog for the EU. He previously served as assistant EDPS and, before that, as inspector general for the protection of personal data at the Polish Data Protection Authority.

The following transcript of our conversation was edited for length and clarity:

The Office of the EDPS made it clear that the EU general data protection regulation (GDPR) applies to AI and generative AI, and that many countries have agreed, for instance, through the Global Privacy Assembly, that data protection principles should govern AI. But given the speed at which AI applications are proliferating, will enforcement be an issue?

There is never a situation where enforcement moves as fast as the development of new technologies or new environments in which the data is processed. So, on one hand, this is not a kind of competition -- “we will be on time with everything” -- and this is also not the first situation in which we are not sure if all the subjects we are interested in are covered.

I was quite skeptical at the beginning of the EU’s work on the Artificial Intelligence Act about the idea of having legislation, thinking that from the data protection point of view most of the protections are already well-established in the GDPR. Despite my initial skepticism, the approach of the [European] Commission to the draft measure, as well as the further discussion in the [European] Parliament and in the Council, began to be constructive and showed the need for regulation.

I’m of the same opinion as the [U.S.] Federal Trade Commission, for example, Commissioner [Alvaro] Bedoya, who said that he already has the tools that can be used for AI, which come from existing legislation. That’s the same situation as we have in Europe, and GDPR is part of this story.

A very respected Polish IT professor, Wojciech Cellary, said that the most important things for dealing with legal issues in the IT world are well-established professional ethics, and strong and enforceable working international law, preferably with a strong penal branch. You must have general ethics, but also the kind of stick that provides enforceable law in case something goes too far. In this sense, we are in a perhaps not comfortable but not bad situation by having the GDPR and surrounding rules, but there are definitely elements that should be added to existing law in the world.

Given what AI and generative AI do, no matter what kind of rules like-minded countries have, how do you protect against other actors who aren’t governed by the same sort of ethics that you’re discussing?

We do not have the time to wait until global solutions are created. We should use the things that we have an influence on. And the idea that every product, every service, which is available to the European customer and to people living in Europe or who are processing data from Europe must be in compliance with European law is something that we are very keen on. So that is the first approach; it’s a principle that’s set by European law and the GDPR is very strict about that.

At the same time, we try to take part in the global discussions about solutions. I’m not responsible for EU foreign affairs, so it’s not for me to say if China is a reliable partner for this kind of cooperation. I don’t do policy, but it’s my duty to remind that the mere fact some country has data protection law -- and China has data protection law -- does not mean that it looks the same as or is similar to Europe’s. We may have some hopes about the discussion with countries like China, or even Russia, but we should not be naive.

At the same time, the U.K. [and] the U.S. are our natural allies, and even if the United States does not have a comprehensive data protection law as we have in Europe, we try to cooperate with it as far as the use of the privacy protection principles where AI is concerned. We try to do it through G7, for example. This is an interesting platform for these talks because it connects like-minded countries, as does the Organisation for Economic Co-operation and Development, for example, but we have to remember that neither of these platforms is preparing a binding legal act. Global solutions could possibly come from the United Nations, which has just created a group to discuss the subject, or from the Council of Europe, which has global reach, for example, through the Cybercrime Convention.

Do you think that China will take affirmative steps to comply? I think you’re saying that the best thing you can do is just work in these multinational organizations and hope for the best.

Yes, and if you think about global cooperation with countries with which we don’t share all the privacy principles, we should be hopeful but not naive. And the fact that somebody is a member of some convention or that the country has a law which seems to be in compliance with those principles does not mean that in practice it looks like that.

I always give the example of Russia. Russia is a member of Convention 108 of the Council of Europe on the protection of personal data. Russia has a data protection authority, but the problem is not that Roskomnadzor [Russian federal executive mass media agency] is not effective. It is effective. It is a very good enforcer. The problem is that they are not only responsible for data protection, they are also responsible for limiting access to information, which is incompatible, in my opinion, with work as an independent data protection authority. We tried to cooperate with Roskomnadzor for years, but now we can see it doesn’t work at all.

Along these lines, do you feel U.S. lawmakers are spending too much time worrying about AI when they should be coming up with a privacy law?

It’s not my role to tell Americans how they should organize their own legislation. Of course, I would feel much more comfortable if the U.S. had a comprehensive data protection law rather than legislation only on the state level. But on the other hand, such a comprehensive data protection law should not go for any price. If its price means limiting the possibility to have well-established principles as there are in some U.S. states, then it’s probably better not to have it.

We have a situation where there is no comprehensive U.S. law, but some subjects are well regulated, for example, data breach notifications. There are 55 systems in the U.S. for data breach notifications, but the system is quite well organized. If the reason for having bipartisan agreement on data protection law would be to find a lowest common denominator, that’s probably not worth the work.

There was a discussion about whether it was satisfactory to have a presidential executive order [on data protection] rather than a congressional act. In some situations, executive orders may be effective -- but we must remember that this is only for the administration, although the AI executive order contains quite a lot of rules directed, in fact, to the market. At the same time, if we compare the way the executive order is prepared and the discussion that we’re having in the European Parliament and the Council on the AI Act, I would say I prefer this democratic way of legislating in the EU over the decision of the president of the United States.

Will the GDPR be tweaked to deal with AI?

A very difficult question, because it starts with whether there should be any changes to the GDPR. In the short run for Europe, with the term of the European Parliament and the Commission ending next year, it’s simply not possible. We will not have any draft of a change to the GDPR before 2025. I say 2025 because the new EC won’t be established until the end of 2024, and the Commission is the only legal body that can propose a draft of the new law.

I think there will be a discussion about changes to the GDPR starting in 2025. I cannot say that the main reason for that will be the development of AI, but I’m sure that it will take that into consideration.

And do you think other changes will be driven by enforcement issues we’ve seen come up in the years since the GDPR took effect?

Everybody who is interested in the GDPR can show a rule that he or she doesn’t like and everybody will come with their proposals. I hope they’ll deal only with enforcement or with several provisions in the practical chapters of the GDPR. I hope they will not touch the principles. That said, there are representatives of business and academia, as well as some politicians, who say that even some of the principles should be reviewed.

Finally, AI is enough of an issue now, but do you see anything else coming down the road that could have implications for data protection? New technologies? Other big issues?

If you ask me about the next buzzword we’ll use in 2025 or 2026, I don’t know. I think quantum computing will come at some stage, but we don’t know when and what exactly it will mean at this moment. But even with the things that we know now and with the current situation, there are real challenges for data protection law and privacy law -- such as the globalization of rules and privacy standards, which may mean that we’ll be discussing certification, and certification in GDPR is a challenge in itself.

Finally, I think we absolutely need a discussion about the scope of national security exemptions as far as privacy rules are concerned.