A new report from the European Parliamentary Research Service (EPRS) warns of a potential legal conflict between the EU AI Act and the GDPR, particularly concerning the use of sensitive personal data to mitigate algorithmic bias.
The AI Act, which came into force in August 2024, aims to regulate (amongst other things) high-risk AI systems and prevent discrimination. It permits the processing of special categories of personal data (e.g. ethnicity and health data) under strict conditions to help detect and correct biases in AI decision-making. However, the GDPR imposes stricter restrictions on processing such data, leading to concerns that AI providers and developers could face legal uncertainty when trying to comply with both regulations.
According to the EPRS analysis, these contradictions could hamper the effectiveness of the AI Act’s bias mitigation measures. The report suggests that legislative clarifications or additional regulatory guidance may be needed to ensure that AI providers and developers can comply with both frameworks without facing legal risks.
Read the full EPRS report here.