Implementing Human Oversight: Bridging GDPR and the EU AI Act

Davide Borelli, Counsel, Data and Technology, Freshfields LLP
Caroline Louveaux, CIPP/E, CIPM, Chief Privacy, AI and Data Responsibility Officer, Mastercard
Gianluca Martinelli, AIGP, CIPP/E, CIPM, CIPT, Group Data Protection Officer and Digital Legal Counsel, Avolta

The EU AI Act establishes human oversight as a cornerstone of responsible AI governance, yet companies and institutions struggle to translate legal requirements into meaningful implementation. This session bridges theory and practice by examining how human oversight requirements intersect with established data protection principles, including human intervention under Art. 22 GDPR. Drawing on recent research and real-world examples, we present a structured, tiered framework for implementing human oversight and intervention while maintaining regulatory compliance. We will explore how companies and institutions can move beyond "oversight fallacy" toward evidence-based mechanisms that deliver genuine safeguards. Delegates will gain practical insights into resolving the “governance paradox,” managing transparency obligations while protecting proprietary information, designing oversight mechanisms that address automation bias, and developing participatory governance approaches. This business-friendly approach acknowledges AI developers' concerns while providing compliance strategies that reduce disruption to innovation pipelines. 

What you will learn:

• A practical tiered framework for implementing meaningful human oversight that satisfies EU AI Act requirements while respecting business realities as well as data protection and security. 
• Strategies to address key implementation challenges including automation bias, information asymmetries and resource constraints. 
• Approaches to balance regulatory compliance with innovation, ensuring human oversight and intervention enhances rather than hinders AI development.