Comments of the President of the Polish SA on the draft Act on artificial intelligence systems
The President of the Personal Data Protection Office, Mirosław Wróblewski, commented on the draft Act on artificial intelligence systems (UC71) presented to him for an opinion by the Minister of Digital Affairs.
The concept of supervision over artificial intelligence systems in Poland presented requires – in the opinion of the President of the Personal Data Protection Office – a significant modification and adaptation to the provisions of the GDPR. At the same time, it is necessary to clarify the status of the President of the Personal Data Protection Office (his representative) in the Commission to be established in such a way as to ensure that he performs independently the tasks arising from acts of national and EU law, including the case-law of the CJEU.
The President of the Personal Data Protection Office pointed out that the powers of the supervisory authority and its leading role in the field of personal data protection cannot be disregarded when implementing EU legislation on artificial intelligence into the national law. They result from the GDPR as well as from the EU Artificial Intelligence Act (AI Act).
1. The role of the President of the Personal Data Protection Office as a supervisory authority in the supervision of AI systems processing personal data
Fundamental rights, the protection of which is guaranteed by the EU Charter of Fundamental Rights and the Treaty on the Functioning of the European Union, are subject to specific supervision in the field of artificial intelligence applications. One of these rights is the right to the protection of personal data. The compliance with this right is subject to control by an independent authority. In Polish legal system the only such an authority is the President of the Personal Data Protection Office.
The draft Act should take into account the special position of the supervisory authority for the protection of personal data, resulting from both the provisions of the AI Act and the GDPR when shaping the supervision of artificial intelligence systems in Poland. However, this standard was not expressed in the provisions of the draft Act. The exclusive competence of the President of the Personal Data Protection Office for the protection of personal data processed as part of AI systems and the fact that it is solely for him to take decisions regarding the supervision of such matters does not follow from the provisions of the draft Act.
2. The role of the representative of the President of the Personal Data Protection Office in the Commission dealing with artificial intelligence in the context of privacy requirements
The participation of the President of the Personal Data Protection Office’s representative in the work of the Commission would therefore be possible only as an expert and assuming that the issue of the processing of personal data is not covered by the Commission’s decision-making process, since this is the exclusive competence of the President of the Personal Data Protection Office. These guarantees should be enshrined in the Act. This is important in connection with the one of the draft Act’s provisions (Article 9 of the draft Act) indicating that members of the Commission shall assist the President of the Commission in the performance of statutory tasks, in particular in matters within the competence of the entity of which they are representatives. At the request of the President, they shall present activities relating to the development, introduction, use, control or supervision of AI systems in the entity of which they are representatives.
It should be pointed out that the representative of the President of the Personal Data Protection Office, due to the need to maintain independence, resulting directly from EU law, cannot be obliged by any provisions, including the proposed Act, to take action for another authority or to adapt to decisions that could potentially encroach on its competence.
3. The role of the President of the Personal Data Protection Office as a market surveillance authority in the light of Article 74(8) of the Artificial Intelligence Act
The draft Act also does not reflect the competences of the President of the Personal Data Protection Office resulting directly from the AI Act. This raises concerns about the compliance of the draft Act with the provisions of the regulation, i.e. the Artificial Intelligence Act. Article 74(8) of the AI Act explicitly stipulates that Member States shall designate their data protection supervisory authorities as market surveillance authorities.
It follows from that provision that, in order for the supervisory authority for the protection of personal data to supervise the systems referred to in that provision (including high-risk AI systems to the extent that those systems are used for law enforcement, border control and justice and democracy purposes), a decision of the national legislator is required. Although the Regulation is a directly applicable act, in this case the EU legislator decided that appropriate action should be taken at national level.
The national legislator is therefore bound by this regulation – it cannot designate an authority other than the one referred to in Article 74 (8) of the AI Act does not want to expose itself to the allegation of incorrect implementation of EU legislation, it must take such action.
4. The role of the President of the Personal Data Protection Office in the light of Article 77 of the Artificial Intelligence Act
Pursuant to Article 77(1) of the AI Act, national public authorities or bodies that supervise or enforce fundamental rights in relation to the use of high-risk AI systems shall have the right to request any documentation needed to effectively fulfil their mandates.
According to Article 77(2) of the AI Act each Member State shall designate those authorities and make the list of them publicly available. They shall also communicate this to the European Commission and the other Member States. However, the list published by the Ministry of Digital Affairs does not identify the supervisory authority for data protection.
5. Risks of duplication and duality (including judicial review, Court of Competition and Consumer Protection)
The provisions of the GDPR concern the supervision of matters related to the processing of personal data governed by the provisions of the Artificial Intelligence Act. It is therefore a matter that falls under the competence of the President of the Personal Data Protection Office. Supervisory authorities – including the President of the Personal Data Protection Office – are already taking action against operators of AI systems who do not comply with their obligations in data processing processes to the extent that they are used to train algorithms when in interaction with services such as Chat GPT.
Therefore, another important issue that should be addressed are those provisions of the draft Act that concern the overlapping of competences resulting from both EU regulations, i.e. the GDPR and the AI Act. Neither of those acts confers primacy over the other.
The powers of the President of the Personal Data Protection Office and his leading role in the field of personal data protection cannot therefore be overlooked when ensuring the application of EU legislation on artificial intelligence in national law.
All comments made by the supervisory authority can be found in the opinion on the draft Act on artificial intelligence systems set out below.
DOL.401.354.2024
