The European Data Protection Board (EDPB) has called on EU member states to put existing national data-protection authorities (DPAs) in charge of supervising high-risk AI systems.
The Brussels-based EDPB ensures that data-protection law across the EU is applied consistently, and steps in to settle disputes among national data-protection regulators.
Its statement (16 July) followed the publication of the EU’s AI Act in the Official Journal of the European Union earlier this month – the final step in putting the landmark legislation into effect.
The act requires member states to designate at least one authority to supervise and enforce its provisions before 2 August 2025.
‘Experience and expertise’
“A prominent role of the DPAs at national level should be recognised, in particular due to the experience and expertise gathered by them in working out guidelines and best practices and carrying out enforcement actions on AI-related issues with respect to the processing of personal data at both national and international level,” the EDPB stated.
It added that additional staff and financial resources should be allocated to national DPAs to enable them to take on the additional AI-related tasks.
Lawyers at Matheson say that it remains to be seen which national body or bodies will be appointed by the Irish Government to supervise and enforce the AI Act.
In May, the Department of Enterprise, Trade and Employment launched a public consultation on the implementation of the act, which closed last week.
The Matheson lawyers note that Ireland’s Data Protection Commission (DPC) last week published its first guidance on the interplay of data-protection laws and AI.
‘Significant challenges’ for DPC
The guidance emphasises the importance of understanding how personal data is used in AI systems, ensuring transparency, and complying with the GDPR and data-protection legislation.
“Given the DPC’s role as lead supervisory authority for so many multi-national technology companies whose EU headquarters are located in Ireland, the DPC's role in regulating AI product providers and deployers’ compliance with data-protection laws will be crucial,” Matheson says.
Its lawyers warn, however, that “significant challenges” would inevitably accompany any expanded role for the DPC, due to the “considerable resources” that would be needed.