Navigating AI Development in the Private Sector: Insights from the Austrian DPA on the EU AI Act and GDPR

The Austrian Data Protection Authority (DPA) has issued a crucial statement detailing how the EU AI Act will intersect with the existing General Data Protection Regulation (GDPR) for private sector AI applications. Here are the key takeaways:

1. Dual Compliance Requirement: The GDPR will continue to apply alongside the AI Act when personal data is processed. AI systems that handle personal data must establish a legal basis for processing under Article 6(1) of the GDPR. For sensitive data categories, the stricter conditions in Article 9(2) must be met.

2. Legal Basis is Essential: While the GDPR does not obstruct AI development, it mandates a proper legal basis for data processing. Without this, the use or development of AI systems may be considered inadmissible.

3. Burden of Proof: The responsibility for demonstrating compliance with data protection laws rests with the data controller.

4. Automated Decision-Making: Article 22 of the GDPR is particularly significant in the context of AI. The European Court of Justice tends to interpret this broadly (judgment in case C-634/21, SCHUFA Holding AG), meaning AI systems used for solely automated decision-making must comply with Article 22's provisions.

5. Case Study - AMAS: The Austrian Supreme Administrative Court's ruling on the Public Employment Service's algorithm (part of the Labour Market Opportunities Assistance System) highlights this. Despite being advisory and involving human final decisions, it was deemed automated decision-making under Article 22 GDPR.

In conclusion, the Austrian DPA underscores that adherence to GDPR is vital when processing personal data with AI systems. Compliance with data protection principles and having a legal basis for processing are mandatory. Any non-compliance can lead to corrective actions, including fines. As the EU AI Act comes into play, organizations must ensure their AI systems align with both GDPR and the new regulations to avoid legal pitfalls.