Experts: New AI laws pose risk of overlap with data protection mandates

When the European Union put forward both the General Data Protection Regulation (GDPR) and the first network and information systems directive in 2016, there was fear businesses could be placed in “double jeopardy,” or penalized twice for the same incident if they breached both sets of rules.

Regulators downplayed the possibility, but legal experts believe such an event is now more likely as the GDPR has the potential to overlap with a growing number of other laws. Within the European Union, the Digital Services Act, Data Act, and AI Act each cover similar territory to the GDPR and could be utilized in different ways by different countries.

“National regulators in EU member states may take different enforcement approaches, rather than a coordinated one,” said Tim Wright, partner at law firm Fladgate.

In the United Kingdom, meanwhile, the Data Protection and Digital Information Bill is working its way through Parliament. If passed as currently drafted, it will place more emphasis on the regulation and enforcement of legal compliance when deploying AI solutions.

The AI legislation push extends beyond Europe as well. William Gamble, global privacy and cybersecurity compliance consultant at IT Governance USA, noted general AI bills or resolutions were introduced in at least 17 U.S. states in 2022 and enacted in Colorado, Illinois, Vermont, and Washington. More will follow, he warned.

“Organizations must ensure they seriously evaluate and consider what data they are scraping and where they are doing it,” said Gamble. “The best advice is for organizations to ensure they receive the appropriate legal advice before using AI and web scraping, as fines could range from millions to hundreds of millions.”

Regarding cross-sectoral investigations and fines for the misuse of AI, Mark Weston, head of commercial, technology, media and telecommunications, and IP at law firm Hill Dickinson, offered the example of a U.K. financial services company. The firm’s use of personal data must be in line with data protection legislation, financial services legislation, and consumer protection legislation, meaning three regulators—the Information Commissioner’s Office, the Financial Conduct Authority, and the Competition and Markets Authority, respectively—could seek separate disciplinary orders if processes aren’t up to snuff.

Sarah Pearce, partner at law firm Hunton Andrews Kurth, said the risk of legislative crossover regarding the use of AI solutions “makes it hard for companies to streamline their compliance processes and controls relating to the use of AI.” Any overlap “adds to complexities for companies seeking to comply with both data protection rules and new AI regulations and regulatory guidance—most likely organizations will have to deal with different regulators,” she said.

Wright believes the United Kingdom is aware of the problem and trying to take a pragmatic, business-friendly approach while still ensuring consumer protection.

“Compared to the EU, the U.K.’s AI regulatory framework looks likely to be less centralized, more risk based, and based on cross-sectoral principles and international standards,” he said.

Technology firms have borne the brunt of the relatively few examples where companies have been fined more than once for the same or similar data protection practices under different legislation. Google and Facebook have been penalized by multiple EU data protection authorities and are still being investigated by others for complaints that might well involve the same kind of GDPR breaches for which they have already been punished.

Some EU data regulators have been keen to pursue cases under national law, such as France’s CNIL fining Google 150 million euros (then-U.S. $169 million) under the country’s Data Protection Act in December 2021 over the way it used cookies, even while GDPR investigations led by another country’s supervisory authority were ongoing.