ServizioContenuto basato su fatti, osservati e verificati dal reporter in modo diretto o riportati da fonti verificate e attendibili.Scopri di più
Gdpr and Ia

Privacy and digital, companies in the maze of EU rules

Dangerous overlaps between the GDPR and the Ia regulations make data management difficult: 12 September Data Act makes information collected through connected objects accessible

by Valeria Uva

(Adobe Stock)

4' min read

4' min read

Ai Act, Ai Act, Dma, Dsa, Data act. It is a labyrinth of acronyms, that of European digital legislation. But the jumble of directives and regulations from Brussels also risks becoming a puzzle for companies in the sector, which are called upon to apply - one after the other - the new regulations.

In the beginning it was the Gdpr, the EU privacy regulation in force since 2018. The regulation is still in force, so much so that other European rules refer to the Gdpr for the data protection part.

Loading...

Since then, many other pieces of legislation have been added, often regulations, thus immediately applicable in all states, each to regulate a digital piece. The Ai Act, for instance, deals with the use of artificial intelligence systems: it is already partly operational, but will become fully operational in August 2027. The Digital Market Act (DMA) and the Digital Service Act (DSA) look at large platforms (so-called gatekeepers) and online commerce, seeking to ensure full competitiveness, but also to protect users and moderate content.

Next will be the Data Act: the EU regulation will be in force from 12 September, regulating access to data generated by connected products (smartwatches, cars or smart voice assistants) from then on.

It will be another piece in an increasingly rich and complex jigsaw puzzle, which is complicating the lives of companies grappling with compliance with respect to these regulations, which are not always coordinated with each other, as some of the overlapping examples in the tab on this page show. Take for example the 12 September deadline for the Data Act: manufacturers of connected services will from that day onwards have to make personal data collected during use accessible and sharable to users. And inform them of their access rights. Yes, but how? Companies are wondering whether it is enough to update the 'Terms and Conditions' section of the contract or whether an ad hoc note is needed. Not only that. Technical interventions are also necessary: until now, data was collected for internal use, therefore perhaps not completely traced or in unreadable formats, but now it must be made comprehensible to the user who requests it. But the real crux is the regulatory overlap: 'The Data Act requires accessibility and sharing, but we also need an assessment for the purposes of the GDPR to understand which data can really be shared without violating the rules of this regulation,' explain Francesca Gaudino and Filiberto Brozzetti, respectively head of the Tech and data privacy department and of counsel at Baker Mc Kenzie, who edited the sheet on the page.

Loading...

The risk of a short circuit is just around the corner. The same regulatory conflict also recurs between the Ai Act on artificial intelligence and, again, the Privacy Regulation. The former imposes a risk assessment for the use of data (also to train the system, as illustrated in the first example in the factsheet) that could give a positive result, indicating a 'low' risk, because the objective of training generative Ia is considered primary, but then a second assestment must be carried out on the treatment of the same data on the basis of the Gdpr, which, on the contrary, could indicate a high risk, because in this case the focus is on the protection of confidentiality, sensitive information and the minimisation of the data to be used.

The EU itself is aware of 'interferences and overlaps': the topic was also raised in the Report of the European Parliament's Research Office on Privacy Regulation and AI ('The impact of the General Data Protection Regulation (GDPR) on artificial intelligence'), which emphasised that a number of questions relating to data processing in artificial intelligence are not answered by the privacy regulation and that much more guidance is needed from the EU Commission, governments but also supervisory authorities to avoid 'costs related to legal uncertainty' for companies.

Complicating matters is also the fact that some countries, including Italy, have chosen to entrust the supervision of the various regulations to different authorities: to the Privacy Guarantor that for the GDPR, to the Digital Agency and the Cybersecurity Agency (Agid and Acn) that for the Ai Act. "They are two separate entities that might have different views and sensitivities on the same issues," observe Gaudino and Brozzetti. The result is that in this first phase of compliance with European regulations, companies are at a standstill, stuck in innovation or, at best, navigating by sight. This was also emphasised by Mario Draghi: in his Report on the Future of European Competitiveness, he counted no less than 100 regulatory acts of European source regulating the use of digital technologies and networks and 270 Supervisory Authorities in the Member States. A Babel that - according to Draghi - holds back the innovation capacity and competitiveness of companies.

Other intersections are on the horizon, in particular, between the GDPR and the Data Governance Act (DGA), which establishes a real 'data market' to foster economic growth and also introduces the concept of data altruism. The regulation still awaits some implementing provisions including the identification of intermediaries for the purchase and sale of data. For the lawyers, 'it will bring a completely new point of view: the Gdpr does not provide for data re-use, now instead the Dga encourages it. We will have to wait for the change of perspective'. Also on the part of companies that will have to move from being afraid to use the information collected to valuing it as a real strategic asset, even in their balance sheets.

Copyright reserved ©
Loading...

Brand connect

Loading...

I prossimi eventi

Tutti gli eventi

Newsletter

Notizie e approfondimenti sugli avvenimenti politici, economici e finanziari.

Iscriviti