The advancement of technologies, particularly artificial intelligence (AI), inevitably affects our daily lives and raises important questions regarding privacy protection. This article explores the key aspects of the relations between artificial intelligence and personal data protection, with a particular focus on the European Regulation on Artificial Intelligence (AI Act) in relation to the General Data Protection Regulation (GDPR), as well as the legislation of Serbia.
Artificial Intelligence and Data Protection: New Horizons
Artificial intelligence presents significant benefits but also substantial challenges. AI algorithms can analyze vast amounts of data, including personal data, which can enhance business model efficiency and forecast new trends. However, this technology often operates in a “black box” – its mechanisms and decisions are not always transparent, potentially undermining individuals’ personal data. For instance, facial recognition systems, credit scoring assessments, and employment decision-making processes frequently utilize sensitive personal data without a clear legal basis for this kind of processing.
Artificial intelligence can infringe upon citizens’ privacy and freedom, especially when deployed in areas such as public safety. Law enforcement agencies, health institutions, and private companies utilize citizens’ data, raising concerns regarding security and accountability. While data facilitates more effective decision-making, there is a risk of misuse, particularly if companies or states fail to implement adequate protective measures. In this context, proper regulation is essential for building trust and ensuring the protection of fundamental rights.
The Role of the AI Act
The European Union has recognized the need for the regulation of artificial intelligence, leading to the enactment of the Regulation on Artificial Intelligence on August 1, 2024. The European Regulation on Artificial Intelligence aims to strike a balance between innovation and citizen protection. Particular attention is given to ethical issues, such as algorithm transparency, non-discrimination, human intervention, and accountability. It is emphasized that the EU’s goal is to safeguard the rule of law from “technological governance,” which is crucial for the preservation of democracy and the protection of fundamental human rights.
GDPR and AI Act Relations
The GDPR and AI Act operate synergistically concerning personal data. The GDPR provides a framework for personal data protection, encompassing rules regarding the legality of processing, processing purposes, and individual rights. When AI systems utilize personal data, it is incumbent upon them to ensure that such data is processed in compliance with the GDPR.
One of the primary challenges is automated decision-making based on algorithms. The GDPR acknowledges in Article 22 the right of an individual not to be subject to decision-making based solely on automated processing that has legal or similar to legal effects. This protection encompasses assessments of personal characteristics such as economic status, health, or behavior that produce legal consequences or significantly impact the individual. In practice, this may include credit denial or automatic candidate selection for employment.
In instances where personal data is used to train AI models, companies must ensure that their processing complies with both legal frameworks. This necessitates clearly defining the processing purpose and achieving legitimate bases for data utilization.
The Future of Artificial Intelligence Regulation in Serbia
Serbia is actively working on the adoption of the Law on Artificial Intelligence, with a draft expected to be completed by mid-2025. Given Serbia’s obligations toward the European Union through the Stabilization and Association Agreement, it is anticipated that the law will be largely aligned with the EU Regulation on Artificial Intelligence.
New Regional Development on AI-Processed Personal Data
At a meeting held in Sarajevo on September 4, 2024, independent supervisory authorities from Serbia, Montenegro, and Bosnia and Herzegovina agreed on a coordinated response toward Meta and X due to violations of privacy regulations in the region. The meeting was convened in light of these companies’ disregard for user privacy, as they have neither designated representatives for data processing in the region nor provided prior notifications to users regarding the processing of data for the purpose of artificial intelligence development. The Commissioner of Serbia, the Agency of Montenegro, and the Agency of Bosnia and Herzegovina plan to undertake joint activities and address the European Data Protection Board (EDPB) and the Irish Data Protection Commission in order to put additional pressure on Meta to alter its practice.
By Nenad Cvjeticanin, Managing Partner, Cvjeticanin & Partners
This article was originally published in Issue 11.10 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.
