Ch 17.10 - AI, Art 22, AI Act

Artificial Intelligence and the EU AI Act

AI systems use personal data across design, training, testing and deployment, so the GDPR applies throughout. Transparency is hard but, under Articles 13/14, individuals must get meaningful information about the logic of significant automated decisions. The EDPB says service improvement generally can't rely on Art 6(1)(b) contract; withdrawing consent stops further processing but a trained model need not be deleted (subject to anti-reidentification measures). Solely automated AI decisions with significant effect engage Article 22. The proposed AI Act bans some systems, tightly regulates high-risk ones, and threatens fines up to 6% of worldwide turnover.

AI Act - risk categories
Category	Examples / treatment
Prohibited	Subliminal/vulnerability-exploiting manipulation causing harm; public-authority social scoring; real-time remote biometric ID in public for law enforcement (limited exceptions)
High-risk	Permitted but strict: training-data quality, documentation, transparency, human oversight, accuracy, security, conformity assessment, public registration, CE marking
Limited / transparency	Notice for systems interacting with people, emotion-recognition, biometric categorisation, and 'deep fakes'

AI Act enforcement

Member state authorities supervise; a European Artificial Intelligence Board ensures consistency. Non-compliance can mean fines up to 6% of total worldwide annual turnover, with a 24-month implementation period once finalised. The Act has extraterritorial reach like the GDPR.

Personal data is used at design, training, testing and deployment - GDPR applies throughout
Significant solely-automated AI decisions: provide meaningful info about the logic (Arts 13/14) and engage Article 22
Service improvement generally can't rely on Art 6(1)(b) contract (EDPB)
Withdrawing consent stops further processing, but a trained model need not be deleted - guard against reidentification
Testing for bias may need special category data - an Article 9(2) condition is required; the AI Act would permit this for bias correction in high-risk systems

Key terms - quick answers

What is “AI”?

Software using techniques (e.g. machine learning) that, for human-defined objectives, generate content, predictions, recommendations or decisions.

What is “AI Act”?

Proposed EU regulation (published 21 April 2021) with a risk-based approach: prohibited, high-risk and lighter-touch AI systems.

What is “High-risk AI system”?

AI permitted but subject to strict requirements (data quality, documentation, human oversight, conformity assessment, CE marking, registration).

← Internet of Things (IoT)Introduction to outsourcing →