Challenges for data protection in the light of new legislation

The Artificial Intelligence Act, the Data Governance Act, the Digital Services Act and the Data Act were the four legal regulations that dominated the discussion at the academic conference on 'Personal data protection in light of the Artificial Intelligence Act and other acts implementing the European Data Strategy', which was organised by the President of the Personal Data Protection Office together with the Faculty of Law and Administration of the University of Warsaw.

This event took place on June 27, 2024 at the University of Warsaw. The invited speakers included representatives of the academic community, Personal Data Protection Office, Office of Electronic Communications, Office of Competition and Consumer Protection, as well as representatives of the European Commission and the legal community.

The experts' main goal was to discuss the challenges posed to the protection of personal data and privacy by legal acts adopted on the basis of the European Data Strategy, including the Artificial Intelligence Act, the Digital Services Act, the Data Governance Act and the Data Management Act and the Data Act.

- 'Everywhere it is being stated that the new legislation does not violate the GDPR, which remains at the centre of our interest, not only as a supervisory authority, but also at the centre of our information autonomy, our rights as people. This information autonomy is one of the most important fundamental rights and therefore cannot be allowed to get lost in the crowd of various regulations,' said Miroslaw Wróblewski, President of the Personal Data Protection Office, in his opening speech at the conference.

The new regulations are expected to contribute to the creation of an internal market for personal data and the amount of data shared is expected to influence innovation, competitiveness and economic growth. However, the process of creating such a space should be based on preserving the principles of personal data protection and human rights. This is one of the main conclusions that were put forward during the conference.

In the context of artificial intelligence itself, the experts analysed the nature of the technology and pointed out the difficulties that may be involved in controlling the content it generates. The aspects related to the protection of personal data, as well as its use by artificial intelligence, were also discussed.

One of the discussions also drew attention to the overlapping competences of particular supervisory authorities and the lack of a legally regulated framework for their cooperation. At the same time, it was emphasised that in order to ensure the standard of protection provided by the EU regulations, it is necessary to develop appropriate solutions for the creation of a model for fast and effective exchange of information.

The panel on the model of judicial review of the activities of supervisory authorities was of great interest. Experts pointed out that the currently functioning model may not be consistent with the assumptions provided for in EU regulations (including GDPR). The main point is that the decisions of the supervisory authority cannot be examined by administrative courts in aspects other than their legality. Therefore, experts discussed various possibilities of allowing a broader type of control, by common courts or on the model of specialised courts, such as the polish Court of Competition and Consumer Protection.