Introduction:
In the ever-evolving landscape of artificial intelligence (AI), the European Union has taken a significant step forward with the introduction of the AI Act, emphasizing the critical importance of confidentiality in regulating AI systems. The Act, under Article 78, establishes stringent guidelines aimed at protecting sensitive information and data integrity throughout the regulatory process. This article explores the intricacies of confidentiality provisions in the EU AI Act.
Understanding Confidentiality under the EU AI Act:
The cornerstone of Article 78[1] is the principle that all parties involved in the application of the AI Act must adhere to strict confidentiality standards. This includes entities such as the Commission, market surveillance authorities, notified bodies, and any other natural or legal persons engaged in regulatory activities pertaining to AI systems within the EU.
Scope of Confidentiality:
The Act mandates that confidentiality measures be applied in a manner that safeguards several key interests:
- Confidentiality: Entities enforcing the EU AI Act must comply with both Union and national laws that protect the confidentiality of information and data obtained during their activities. This includes safeguarding sensitive information like source codes, except in specific circumstances permitted under EU directives.
- Data Collection and Protection: Authorities are permitted to request only the data necessary for assessing AI system risks and fulfilling their regulatory duties under the EU AI Act and Directive (EU) 2019/1020[2]. They are required to implement robust cybersecurity measures to prevent breaches and maintain the security and confidentiality of collected information. Additionally, data must be promptly deleted when it no longer serves its regulatory purpose, adhering to applicable legal requirements.
- Confidential Information: Information exchanged confidentially between national competent authorities or between these authorities and the European Commission cannot be disclosed without prior consultation with the originating authority. This provision is particularly critical in instances involving high-risk AI systems used by law enforcement, border control, immigration, or asylum authorities, where public and national security interests are paramount.
- Legal and Operational Framework: Article 78[3] ensures that its provisions do not hinder the exchange of information or the issuance of warnings by the Commission, Member States, relevant authorities, or notified bodies. This facilitates effective cross-border cooperation essential for enforcing AI regulations uniformly across the EU.
- International Cooperation: Recognizing the global nature of AI regulation, Article 78[4] allows for the confidential exchange of information with regulatory authorities of third countries under bilateral or multilateral agreements. Such agreements must guarantee a level of confidentiality that meets EU standards and principles.
Data Collection and Protection:
Under the AI Act, authorities are authorized to request only the data necessary for assessing the risk posed by AI systems and for exercising their regulatory powers. Strict adherence to this principle ensures that data collection is limited to what is essential, minimizing unnecessary intrusion into private or proprietary information.
Furthermore, robust cybersecurity measures are mandated to protect the security and confidentiality of all collected data. These measures are designed to prevent unauthorized access, breaches, or cyber threats that could compromise the integrity of the regulatory process or the safety of sensitive information.
Transparency and Consultation:
While confidentiality is upheld rigorously, the Act also emphasizes transparency and accountability. Information exchanged on a confidential basis between national competent authorities or between these authorities and the Commission cannot be disclosed without prior consultation. This consultation requirement ensures that any potential disclosure respects the interests of the originating authority and stakeholders involved, particularly in cases involving high-risk AI systems used in sensitive sectors like law enforcement or border control.
Implementation Challenges and Considerations:
Implementing robust confidentiality measures under the AI Act presents several challenges and considerations:
- Technological Complexity: As AI technologies evolve, maintaining adequate cybersecurity measures becomes increasingly complex. Continuous adaptation and enhancement of security protocols are essential to mitigate emerging cyber threats effectively.
- Interagency Cooperation: Effective coordination and cooperation between national competent authorities, the Commission, and other relevant entities are crucial to ensuring consistent application of confidentiality standards across borders and sectors.
- Legal Harmonization: Harmonizing confidentiality standards across EU member states, considering variations in national laws and practices, is essential for ensuring uniform application of the AI Act’s provisions.
- Public Accountability: Balancing confidentiality with the need for public accountability requires clear guidelines and mechanisms for transparency in regulatory activities, ensuring that the public retains confidence in the regulatory framework governing AI technologies.
International Considerations and Cooperation:
Recognizing the global nature of AI development and deployment, the EU AI Act also addresses the exchange of confidential information with regulatory authorities of third countries. This exchange is governed by bilateral or multilateral confidentiality arrangements, ensuring that EU standards of confidentiality are upheld when collaborating on AI-related matters with international partners.
Conclusion:
Article 78 of the EU AI Act exemplifies the European Union’s commitment to fostering a secure and ethical environment for AI development and deployment. By emphasizing stringent confidentiality measures, the Act ensures the protection of sensitive information, bolsters public and national security interests, and promotes responsible AI governance. These provisions, harmonized with the EU Directive 2016/943 on the protection of trade secrets, reinforce the EU’s stance on maintaining robust data integrity and privacy standards. Through international cooperation and adherence to these guidelines, the EU sets a benchmark for global AI regulation, balancing innovation with rigorous oversight.
[1] Article 70, EU AI Act, 2024
[2] Directive (EU) 2016/943 of the European Parliament and of the Council, 2016
[3] ibid
[4] ibid