The regulatory and supervisory labyrinth in the digital agenda for Europe: rationalization proposals

The recent publication of the Artificial Intelligence Act is one of the main regulatory achievements in the field of the digital economy, also known as the information economy or data economy. From a structural standpoint, it is an extremely complex piece of legislation that seeks to regulate the use of AI systems; a novel and changing area. The contents regulated in the Act include a governance and supervisory structure that establishes the creation of various competent authorities both at a national level in each member state, as well as at EU level.

The approach makes perfect sense, because an act that implements the obligations of the affected entities to such an extent must go hand-in-hand with an adequate verification of its application. However, if we look at the matter from a wider perspective, it is evident that the authorities envisaged in the AI Act, join another array of supervisory, governance, surveillance and registration authorities that have been created in several European regulations that have been adopted in connection with the digital agenda for Europe over the last few years. Supervisory and/or surveillance and/or registration authorities have been created, at times with powers to impose penalties, in the GDPR, the Data Regulation, the Data Governance Regulation, the NIS 2 Directive and the DORA Regulation, to name but a few.

This reality, which the world of business may view as a disproportionate increase in administrative formalities and red tape, could be mitigated, if efficiency and specialty criteria are applied, to ensure that the various supervisory functions are assumed by the same authority with similar or related functions.

In this regard, the EDPB has published a statement in which, with regard to the AI Act, it affirms that it is advisable for the data protection supervisory authorities created by the GDPR to assume the duties of the market surveillance authority. This is based on the recognition that the Act and European privacy rules such as the GDPR or the e-Privacy Directive, should be considered and interpreted coherently as supplementary instruments that provide mutual support.

This recommendation by the EDPB is related to the statement that data protection (both personal and non-personal) in the lifecycle of an AI system, especially high-risk systems, is clearly central to the different technologies covered by the umbrella of the definition of AI in the Act. In addition, as the EDPB held in its Joint Opinion with the European Data Protection Supervisor (EDPS), it is also related to the experience already gained by the supervisory authorities in connection with AI, the benefits of implementing a single point of contact for market operators and their degree of independence, which furthermore avoids possible discrepancies between the decisions of both supervisory authorities.

Since some Member States (such as Spain) have initiated legislative processes for the creation of these supervisory authorities contemplated in the AI Act alongside the data protection supervisory authorities, the EDPB remarked on the importance that the entities should collaborate in future processes based on article 4(3) of the Treaty on European Union.

In short, the EDPB recommends that data protection supervisory authorities should be designated, in countries where they still do not exist, such as the market surveillance authorities for the high-risk AI systems mentioned in the AI Act.

In our opinion the digital economy should move towards an aggregation of functions, in order to avoid an excessive dispersal of supervisory, inspection and penalty bodies, which would ultimately place a barrier on the appearance and progress of market operators.