Thursday 23 May 2024
HT Aula


Although new technological contexts such as the use of artificial intelligence may require new, technology-specific legislative provisions, the General Data Protection Regulation (GDPR) is still the tool of choice to regulate personal data processing. This is also due to the fact that the GDPR is broadly applicable, as confirmed by case law of the Court of Justice of the EU (CJEU). Indeed, it has become easier to classify data as personal, as the terms “related to” and “identified or identifiable” as elements of the definition of personal data are interpreted broadly. Therefore, one may wonder whether the “general” in the GDPR could not be understood more broadly in terms of scope. For example, a general European data law could address various undesirable side effects of digitisation more comprehensively, becoming the ideal partner for any AI law. A broader risk-based harm approach, justified by the increasing importance of the interconnectedness of data and the intentions of data use, represents an interesting starting point in transforming the GDPR into a general European data law. For these reasons, our panel will focus on the following two topics. First, the increasing challenges in providing legal interoperability, specifically with regard to regulating AI, are highlighted. Second, the panel will explore the possibility of transforming the GDPR into a general European data law via a risk-based harm approach. Indeed, this could provide a new way to address legal interoperability issues and thereby also address the broader unwanted side effects of digitalisation, again particularly in relation to AI.

  • The concept of personal data and the categories of personal data act as focal points for applying various regulations and rules as well as the harm they seek to address, can this still be justified? Specifically considering the example of GDPR and the AI Act?
  • Can synergies be found between specific concepts from the GDPR and the AI Act, e.g. related to the understanding and regulating of risk? 
  • Are concepts, principles and rights from the GDPR universal enough to be applied more widely? Does taking data protection measures based on the nature of the data still make sense in today’s technological contexts?
  • Which unwanted side effects of digitisation (specifically in relation to AI) should be addressed by a general European data law and which should not? Where exactly does the added value of specific legislation lie?
  • Is a risk-based harm approach a beneficial way to make the GDPR a more general data law, making it an ideal partner of the AI Act?

Did you see these?

You might be interested in these panels as well: