World Economic Forum, ‘Future of Jobs Report’ (May 2023), 6 accessed 10 October 2024 (unless otherwise stated, all online sources have last been accessed on 10 October 2024).
Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act), PE-CONS 24/24 .
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L 119/1.
See Pier Giorgio Chiara, ‘Italian DPA v. OpenAIs ChatGPT: The Reasons Behind the Investigation and the Temporary Limitation to Processing’ (2023) 9(1) EDPL 68-72. See also, Janos Meszaros et al, ‘ChatGPT, Are You Lawfully Processing my Personal Data? GDPR Compliance and Legal Basis for Processing Personal Data by OpenAI’ (2024) 1(2) AIRe 223-239.
For an overview see Alexander Golland, ‘KI und KI-Verordnung aus datenschutzrechtlicher Sicht‘ (2024) EuZW 846; Hannah Ruschemeier, ‘Generative AI and Data Protection‘ in Calo, Ebers Poncibo and Zou (eds), Handbook on Generative AI and the Law (Cambridge University Press 2024 – forthcoming).
EPRS, Panel for the Future of Science and Technology, ‘The Impact of the General Data Protection Regulation (GDPR) on Artificial Intelligence’ (June 2020), executive summary .
ICO, ‘Guidance on AI and Data Protection’ (last updated 15 March 2023) ; EDPS, ‘Generative AI and the EUDPR. First EDPS Orientations for Ensuring Data Protection Compliance when Using Generative AI Systems’ (3 June 2024) .
The DSK (Data Protection Conference) is composed by the independent German federal and state data protection supervisory authorities. The DSK is tasked to safeguard and protect data protection rights, to achieve a uniform application of European and national data protection law and to jointly work on its further development. This is achieved inter alia through resolutions, decisions and guidance.
DSK, ‘Hambacher Erklärung zur Künstlichen Intelligenz’ (3 April 2019) .
DSK, ‘Positionspapier der DSK zu empfohlenen technischen und organisatorischen Maßnahmen bei der Entwicklung und dem Betrieb von KI-Systemen’ (6 November 2019) .
Hamburgischer Beauftragter für Datenschutz und Informationsfreiheit, ‘Checklist fort he Use of LLM-Based Chatbots’ (13 November 2023) .
Landesbeauftragter für Datenschutz und Informationsfreiheit Baden-Württemberg, ‘Rechtsgrundlagen im Datenschutz beim Einsatz von Künstlicher Intelligenz’ (Diskussionspaper, Version 1.0, 7 November 2023) .
The DSK (Data Protection Conference) consists of the independent German federal and state data protection supervisory authorities. The DSK is tasked to safeguard and protect data protection rights, to achieve a uniform application of European and national data protection law and to jointly work on its further development. This is achieved inter alia through resolutions, decisions and guidance.
Such DSK orientations outline the data protection framework and regulatory options for various subject areas. They are intended to aid data controllers in applying and implementing data protection law.
DSK, ‘Orientierungshilfe der Konferenz der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder vom 6. Mai 2024, Künstliche Intelligenz und Datenschutz, Version 1.0’ (6 May 2024) .
Ibid, para 1.
Ibid, para 3. Cf. art. 5 AI Act. Since the AI had not yet formally been signed and published in the EU’s Official Journal, when the DSK Orientations were published, they are not referring to specific provisions of the AI Act.
Ibid, paras 4 et seq.
Ibid, para 5.
Ibid, paras 7 et seq. As regards the legal basis, the DSK Orientations refer to Landesbeauftragte für Datenschutz und Informationsfreiheit Baden-Württemberg, ‘Rechtsgrundlagen im Datenschutz beim Einsatz von Künstlicher Intelligenz’ (n 12).
DSK (n 15), paras 12 et seq.
Ibid, paras 15 et seq.
Ibid, paras 21 et seq.
Ibid, para 24.
Ibid, para 25.
Ibid, para 27.
Ibid, para 29.
Ibid, para 32.
Ibid, paras 33 et seq.
Ibid, para 35.
Ibid, para 36.
Ibid, paras 38 et seq.
Ibid, para 40.
Ibid, paras 41 et seq.
Ibid, para 43.
Ibid, paras 44 et seq.
Ibid, paras 46 et seq.
Ibid, paras 48 et seq.
Ibid.
Ibid, paras 62 et seq.
Ibid, paras 64 et seq.
CNIL, ‘Les Fiches Pratiques IA’ (8 April 2024, complemented on 10 June 2024) nos 7 to 12 of these ‘how-to sheets’ are open for public consultation until 1 October 2024 .
CNIL, ‘Artificial Intelligence: the Action Plan of the CNIL’ (16 May 2023) .
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA [2016] OJ L 119/89.
CNIL, ‘IA: Déterminer le régime juridique applicable’ fiche no. 1 (8 April 2024) .
CNIL, ‘IA: Définier une finalité” fiche no. 2 (8 April 2024) .
CNIL, ‘IA: Déterminer la qualification juridique des acteurs’ fiche no. 3 (8 April 2024) .
CNIL, ‘IA: Assurer que le traitement est licite – En cas de réutilisation des données, effectuer les tests et vérifications nécessaires’ fiche no. 4-2 (8 April 2024) .
CNIL, ‘IA: Tenir compte de la protection des données dans la conception du système’ fiche no. 6 (8 April 2024) .
CNIL, ‘IA: Tenir compte de la protection des données dans la collecte et la gestion des données’ fiche no. 7 (8 April 2024) .
CNIL, ‘IA: La base légale de l’intérêt légitime: fiche focus sur la diffusion des modèles en source ouverte (open source)’ fiche 8-1 (10 June 2024) .
CNIL, ‘IA: La base légale de l’intérêt légitime: fiche focus sur les mesures à prendre en cas de collecte des données par moissonnage (web scraping)’ fiche 8-2 (10 June 2024) .
CNIL, ‘IA: Informer les personnes concernées’ fiche no. 9 (10 June 2024) .
CNIL, ‘IA: Respecter et faciliter l’exercice des droits des personnes concernées’ fiche no. 10 (10 June 2024) .
CNIL, ‘IA: Annoter les données’ fiche no. 11 (10 June 2024) .
CNIL, ‘IA: Garantir la sécurité du développement d’un système d’IA’ fiche no. 12 (10 June 2024) .
CNIL, ‘Self-Assessment Guide for Artificial Intelligence (AI) Systems’ available at .
CNIL, ‘The CNIL Creates an Artificial Intelligence Department and Begins to Work on Learning Databases’ (26 January 2023) .
Philipp Quiel, ‘Board of German Data Protection Authorities (“DSK”) Publishes first Guidelines on Data Protection for AI’ (7 May 2024) .
Following Brexit, the GDPR is retained in the UK as the UK GDPR.
ICO, ‘Guidance on AI and Data Protection’ (last update 15 March 2023) .
EDPS, ‘Generative AI and the EUDPR. First EDPS Orientations for Ensuring Data Protection Compliance when Using Generative AI Systems’ (3 June 2024) .
Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC [2018] OJ L 295/39.
Cf in this regard also EDPB, ‘Statement 3/2024 on Data Protection Authorities’ Role in the Artificial Intelligence Act Framework’ (16 July 2024) .
