"As DPA, we feel we are fundamental rights defenders … and we need more resources." Dutch Data Protection Authority Chair Aleid Wolfsen has a clear vision of his mandate — and it goes beyond privacy. At this week's IAPP Data Protection Intensive: Nederland 2023, Wolfsen shared his reflections on the EU General Data Protection Regulation five years on and the three major developments it underpinned: the pervasiveness of digital throughout both public and private sectors, a shift of power in the online world ("it used to be with government, now it is with Big Tech"); and what he sees as an over-collection of personal data by governments, "often with limited or even counterproductive effects."

Like the GDPR, new European laws — the Digital Markets Act, the Digital Services Act and the upcoming Artificial Intelligence Act — are value-driven legislation. Wolfsen applied these reflections to today's challenges, particularly regarding the use of AI algorithms. In his view, the GDPR provides principles and many safeguards that will help address concerns related to AI. "Requirements of lawfulness, fairness and data minimization can help prevent errors. … Principle of data quality and integrity help organization organize their process effectively from the start." The Dutch DPA is assertively positioning on AI and has entered cooperation with other supervisory authorities — consumers and markets, media — to create a platform for digital supervision. Among this group, the DPA will coordinate the supervision of algorithms, positioning itself as the lead AI supervisory authority once the EU AI Act becomes a reality.

In addition, Wolfsen pointed to the five areas to which the DPA is strongly committed. First, it will closely monitor the government's data collection practice to ensure the "public sector leads by example." It will also continue to focus on technology companies. Second, when it comes to handling data subjects' complaints, Wolfsen regretted that by the time a complaint is lodged, "damage has been done;" he wants the authority to be more proactive to prevent abuses in the first place. Third, he sees interpreting the "law's abstract notions" and giving clearer guidance as essential for the GDPR and new EU laws. Fourth, in light of the increasing use of algorithm and AI systems, the DPA will "look under the hood where possible," to better grasp how algorithms are trained and what assumptions it uses. Lastly, he conceded the DPA could not do all of that alone. In the next five years, Wolfsen wants to take steps for organizations to adhere to rules and start investing in good data management as a way to increase business efficiency. "The DPA is not only a referee and an enforcer where necessary, it should also be a coach to ensure the team goes for that one common goal."

Leaving Rotterdam and going back to Brussels, not to be a monomaniac, but it is difficult not to talk about AI these days. Case in point, even the EU cybersecurity agency ENISA is now looking at the intersection between AI and cybersecurity. During a conference held in Brussels recently, ENISA focused the discussions on the security considerations and challenges pertaining to cybersecurity certification and AI, how to secure AI systems, and what the AI Act will mean for cybersecurity.

Meanwhile, the AI Act is moving along. This week, the European Parliament formally endorsed its final report on the draft AI Act. A first meeting was set to take place already the evening of the vote to officially launch the trilogue negotiations. The political impetus to conclude this remains strong. Institutional stakeholders are all frantically working to finalize this new piece of legislation by late 2023/early 2024.

The parliament's version differs from the European Commission's original proposal on a few significant aspects, including the obligations on the deployer of AI regarding bias, the expansion of bans to also include remote biometric identification in real-time, the inclusion of AI foundation models in the material scope of the regulation. You can compare both versions in this document and read the Council of the EU's general approach text here. TL;DR? you can also watch the recording of my recent LinkedIn Live unpacking these different versions here.

Once finalized, this regulation will be directly applicable in all EU member states and European Economic Area countries, with a transition period. Its duration will be part of the upcoming negotiations and could range between 24 to 36 months or even be segmented to allow for sequential implementation. If the text enters into force in March 2024 and becomes applicable around March 2026, at least five years will have passed since the proposal was first drafted. This raises — much like for any data stewardship policy drafting — the question of how future-proof this regulation will be against a technology that evolves almost by the minute and whose volatile nature has already greatly influenced the parliamentary debates and DPAs approach and will likely continue to do so.