”Simplify the GDPR and the AI-act for a strong Europe”

The General Data Protection Regulation (GDPR) complicates necessary and desirable use of data and AI. We have already experienced how AI technology can be used to solve major societal challenges. Therefore, companies involved in the development and use of new AI solutions need a more reasonable regulatory framework to relate to so that we in a safe and efficient way can leverage the potential of AI even further.

For many years, it has been considered a sign of political success within the EU to adopt massive regulatory packages related to new digital phenomena (the AI Act, the Data Act, the Digital Services Act, among others). These regulatory initiatives are often based on a correct problem analysis, but their practical design creates difficulties for legitimate companies to comply with all the rules. Added to this is a reluctance to revisit and refine existing legal reforms, such as the GDPR, even when needed to avoid unjustified obstacles to, for instance, AI use. The result is that Europe falls behind in global technological development—while the U.S. and China race ahead.

It is no exaggeration to say that Swedish competitiveness depends on companies being able to develop and utilize AI, for product development and analysis, enhanced security, and increased efficiency, to mention a few. For companies that are not at the forefront of technological development themselves, the ability to use AI solutions developed by others is a crucial success factor.

But as the Swedish government’s AI Commission, among others, has noted, there are several challenges for companies that want to take advantage of these new opportunities. This is especially true for the challenges associated with regulations of data and AI use. For Europe to be competitive in AI, several measures are needed, some of which are particularly urgent:

• Simplify the possibilities of using personal data to train and adapt AI systems and models, provided that risk-mitigating measures are taken simultaneously. Access to (large volumes of) high-quality data is essential for creating accurate AI models and systems. There is often a need to use personal data, even if the purpose of the training process is not to obtain information about individuals, but to use this data to train models and systems. Guidance issued by data protection authorities illustrates that the GDPR often prevents or significantly complicates the development of AI solutions, even though the risks to individuals are limited if appropriate measures are taken during the training process.
• Do not close the door to automated decision-making. The GDPR rules on automated decision-making significantly limit companies’ ability to use AI in decisions involving customers. Of course, there are risks associated with allowing AI systems to make automated decisions, and such decision-making is not suitable in all contexts, but the current regulation is unjustifiably restrictive and does not fully consider the benefits and risks in each individual case.
• Remove overlapping regulations and make the regulation more risk-based. Laws concerning new digital phenomena are often layered over time, creating a complex regulatory framework that in practice hinders innovation and business. One solution to the problem described in the previous point would be to remove the GDPR regulation of automated decisions and instead have it fully governed based on risk level under the AI Act.
• A general review of the AI Act is needed with the aim of simplifying the regulation. The ambition to create a risk-based regulation was entirely correct, but the final regulation has, in many respects, become an unmanageable and bureaucratic framework.

AI should not be, and has never been, unregulated. Its development and use is already governed by several areas of law, such as product safety, liability, and discrimination. Particularly important are the strict rules on the processing of personal data found in the GDPR. Last year, a new comprehensive AI Act was also adopted. The regulation places far-reaching requirements both for companies that develop new AI systems and models, as well as for those that use AI systems in their operations.

It is of course entirely appropriate that legal requirements, for example regarding the handling of personal data, also apply in the development and use of AI. Since the use of AI involves risks, some specific AI regulation may be justified. However, the overall regulatory burden, along with the lack of clarity and unjustified restrictiveness of certain rules, creates major challenges for serious and responsible Swedish companies investing in AI.

Following Mario Draghi’s report on the EU’s competitiveness challenges last year, the winds are shifting, and the need for a more reasonable regulatory burden is now being seriously discussed. This discussion is long-awaited, but to truly benefit the business sector, it must be followed by concrete actions, especially when it comes to the conditions for AI use.

Implementing the new ambitions to ease the regulatory burden on companies is necessary for a successful and well-equipped tech capacity in Sweden and Europe.