The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a Joint Opinion on the European Commission’s proposed Digital Omnibus. Among other things, the Digital Omnibus seeks to simplify the implementation of certain harmonised rules under the AI Act to ensure their effective application.
The EDPB and the EDPS support the objective of addressing practical challenges relating to the implementation of the AI Act. However, they say that administrative simplification must not reduce the protection of fundamental rights. The Joint Opinion acknowledges the complexity of the AI landscape and welcomes efforts to ease burdens for organisations. However, it says that certain proposed changes could undermine the protection of individuals in the context of AI.
According to the EDPB and the EDPS, the Proposal would provide more opportunities to process special categories of personal data (such as ethnicity or health data) for bias detection and correction to providers and deployers of any AI systems and models, subject to appropriate safeguards. The EDPB and the EDPS recommend specifying that this data may be used for bias detection and correction only in limited circumstances where the risk of adverse effects from such bias is considered sufficiently serious.
The EDPB and the EDPS advise against the proposed deletion of the obligation to register AI systems, when they fall under the categories listed as high-risk, even if the providers deem their systems to be ‘non-high risk’. The EDPB and the EDPS consider that this change would significantly undermine accountability and create an undesirable incentive for providers to unduly claim exemptions to avoid public scrutiny.
The EDPB and the EDPS welcome the creation of EU-level AI regulatory sandboxes to promote innovation. To ensure legal certainty, the Joint Opinion recommends that data protection regulators supervise data processing within sandboxes. In addition, the EDPB should be afforded an advisory role and the status of observer at the European Artificial Intelligence Board to ensure consistency in relation to EU-level sandboxes. In addition, the supervisory role of the AI Office regarding AI systems based on a general-purpose AI model should be clearly delineated and should not overlap with the independent supervision by the EDPS of AI systems developed or used by EU institutions, bodies, offices or agencies.
The EDPB and the EDPS support the goal of streamlining cooperation between fundamental rights authorities or bodies and market surveillance authorities, and the reliance on a central point of contact to increase efficiency. However, they recommend clarifying the role of the MSAs as administrative points of contact for the execution and transmission of requests to providers and deployers, and ensuring that the independence and powers of national data protection regulators are unaffected.
The EDPB and the EDPS also recommend maintaining a duty for AI providers and deployers to ensure AI literacy among their staff. Any new obligation to foster AI literacy placed on the European Commission or member states should complement, not replace, the responsibilities of the organisations actually developing and using these systems.
Finally, the EDPB and the EDPS have expressed concerns regarding the proposed postponement of core provisions for high-risk AI systems. In view of the rapid evolution of the AI landscape, they ask if the original timeline can be maintained for certain obligations, such as transparency requirements, and to minimise delays to the extent possible.
