GDPR fines are almost never paid. Will the Artificial Intelligence Law be different?

When you make a purchase through links in our articles, Future and its syndication partners may earn a commission.

Anyone who has worked in customer service over the past five years or so should be somewhat familiar with General data protection provisions (GDPR) and how it affects how organizations handle customer information. Well, a new EU regulation, the Artificial Intelligence Act, will come into force from 2026, and this is causing concern for some firms.

But it doesn’t have to be like that. At least that’s what a data privacy expert said. Speaking at the recent ISACA conference in Dublin, Dr Valerie Lyons, author of Privacy Leadershared her thoughts on the new rules and the changes they might make.

“I don’t really see the AI ​​law as adding much to what the GDPR already provides. The principles are exactly the same: the principles of transparency, security and consent,” she said.

It’s the thought that matters

There is significant overlap between the two pieces of legislation, largely due to the large volume of data that AI systems store and process, and also because the AI ​​Act uses a very broad definition of artificial intelligence.

Compliance with the GDPR is not an exact science, she explains, and it is likely that the AI ​​Act will use similar “principles of necessity and proportionality,” Lyons says.

It is important to understand the context and intent behind the rules, noting: “If I look back at the GDPR, Giovanni Buttarelli, who is sort of the father of the GDPR, he said you can stick to the spirit of the law or the letter of the law. If we stick to the letter of the GDPR law, it will never work. You must abide by the spirit of the law.”

Who pays?

We hear a lot about companies being handed Huge fines for non-compliance with GDPRbut we don’t get the full story, Lyons suggests.

“You know, fines don’t work because no one actually pays them, so the Treasury doesn’t even get any money,” she says. “I mean, according to everyone in Europe, Ireland owes a ton of money, but 1% of fines (collected).”

Although the Irish Data Protection Commission is known to have issued billions of euros in fines, less than 1% of which were actually collected through appellate processes.

Even so, these fines do not hurt companies as much as statistics suggest, and the taxpayer usually ends up out of pocket.

“Who pays the DPC to go to these courts is the Treasury,” says Lyons.

“Essentially, the tax authorities continue to pay. Tusla, for example, the Irish child protection agency, was fined 75,000 four years ago – they paid the fine, and the Treasury eventually paid that fine too – because they are a taxpayer-funded government agency. she told TechRadar Pro.

It looks like the Artificial Intelligence Act will be regulated by the same body, the Data Protection Commission, which Lyons describes as “no teeth” – suggesting the lack of compliance could continue in the new rules.

So what will the AI ​​Act mean for companies in the coming months as the new rules come into effect?

Most small businesses are AI deployers (i.e., making AI systems available to users) rather than distributors or developers.

“Their next step is simple. Conduct a gap analysis. Using standards such as ISO or NIST will be very helpful in this regard and can provide a strong, structured roadmap for next steps. Small companies often complain about the cost, but NIST standards are freely available,” Lyons told us.

GDPR compliance is already a good first step, so develop and implement an AI policy and be sure to provide AI literacy training before February 2025. Be sure to update all notifications, policies and ROPA DPIAs with the help of the AI ​​system.

“The next step is to ensure there is a robust process for monitoring the adoption of artificial intelligence systems within an organization,” Lyons said.

More from TechRadar Pro