AI and Data Protection

What Is AI and Data Protection?

The EU AI Act and GDPR are independent but overlapping legal frameworks. When an AI system processes personal data, organizations must comply with both simultaneously. In this exercise, you work through a healthcare AI triage system that prioritizes patient appointments based on symptom analysis. You navigate GDPR Article 22 rights against automated decisions, data minimization conflicts with vendor demands for more data, dual transparency requirements, and the difference between a DPIA and a FRIA. A real-time patient complaint tests whether your compliance measures work in practice.

What You'll Learn in AI and Data Protection

• Understand how the EU AI Act and GDPR create overlapping but independent obligations
• Apply GDPR Article 22 rights to AI-driven decisions with significant effects
• Enforce data minimization even when more data would improve AI performance
• Create privacy notices that satisfy both GDPR and EU AI Act transparency requirements
• Distinguish between DPIA and FRIA and understand when both are required

AI and Data Protection — Training Steps

1. Two Frameworks, One AI System

   The EU AI Act and GDPR overlap significantly when AI systems process personal data. Any AI system handling personal data must comply with both frameworks simultaneously. GDPR lawful basis - a valid legal ground is required for processing personal data. GDPR Article 22 - individuals have the right not to be subject to purely automated decisions with significant effects. DPIA requirements - a Data Protection Impact Assessment may be required under GDPR for high-risk processing. Data minimization - only data necessary for the specific purpose may be processed. These are independent legal frameworks with their own enforcement mechanisms, but they create overlapping obligations for AI systems that handle personal data.

2. AI Triage System Overview

   Wellspring Health Services has developed an AI triage system to help manage patient appointments more efficiently. Alice signs in to the clinical portal and opens the system overview page to review how it works before conducting her compliance assessment.

3. GDPR Article 22: Automated Decision-Making

   GDPR Article 22 gives individuals the right not to be subject to purely automated decisions with significant effects. EU AI Act Article 14 separately requires human oversight for high-risk AI. The two are complementary: GDPR creates a patient right, the EU AI Act creates a design obligation. Both must be satisfied independently.

4. Lawful Basis for Health Data

   The triage system processes health data, which is a special category under GDPR Article 9. Standard processing grounds like legitimate interest are not sufficient for health data. The correct lawful basis options are: Explicit consent (GDPR Art. 9(2)(a)) - the patient gives explicit, informed consent to the processing of their health data by the AI system. Necessary for medical treatment or diagnosis (GDPR Art. 9(2)(h)) - the processing is necessary for healthcare purposes and is carried out by a health professional or someone subject to professional secrecy obligations. Legitimate interest alone is never sufficient for processing health data under GDPR. Organizations must identify a valid Article 9 exemption in addition to an Article 6 lawful basis.

5. Mid-Exercise Check

   Before continuing, consider what you have learned about how GDPR and the EU AI Act interact.

6. Data Minimization vs AI Performance

   The AI vendor has requested access to full patient medical records, arguing that broader data would improve triage accuracy. However, GDPR's data minimization principle (Article 5(1)(c)) requires that only data necessary for the specific purpose is processed. For symptom-based triage, the system needs current symptom descriptions and basic patient demographics. Full medical history, medication records, and past treatment history are excessive for determining appointment priority. Processing more data than necessary violates GDPR - even if it would improve AI performance.

7. Patient Privacy Notice Review

   Alice opens the patient-facing privacy notice from the clinical portal. A single notice can satisfy both GDPR and EU AI Act, but only if it covers every required disclosure.

8. DPIA vs FRIA

   For this healthcare AI system, two separate impact assessments may be required: DPIA (Data Protection Impact Assessment) - required under GDPR when processing is likely to result in a high risk to individuals' rights. Focuses specifically on data protection risks : how personal data is collected, stored, processed, and protected. FRIA (Fundamental Rights Impact Assessment) - required under EU AI Act Article 27 for deployers of high-risk AI systems. Covers all fundamental rights more broadly: non-discrimination, dignity, access to healthcare, freedom, and the right to an effective remedy. These assessments serve different legal purposes and have different scopes. They can be conducted together as a combined exercise, but each must meet the requirements of its respective regulation.

9. A Patient Complaint

   Dr. Sarah Park pings Alice on Telegram about a patient who is unhappy with her AI-assigned priority. Alice needs to advise Dr. Park on how to respond within the bounds of GDPR Article 22 and EU AI Act human-oversight obligations.

10. Key Takeaways

    Here is what to remember when AI systems process personal data: Dual compliance is mandatory: AI systems that process personal data must comply with both GDPR and the EU AI Act. These are independent frameworks with separate enforcement. Human oversight serves both frameworks: GDPR Article 22 and EU AI Act Article 14 both require human oversight of automated decisions, but for different legal reasons. They are complementary, not substitutes. Data minimization applies even when more data would help: Processing more data than necessary violates GDPR regardless of whether it improves AI performance. Privacy notices must satisfy both frameworks: GDPR requires transparency about data processing; the EU AI Act requires transparency about AI system usage. Both can be addressed in a single notice. Both DPIA and FRIA may be required: A DPIA focuses on data protection risks; a FRIA covers all fundamental rights. They serve different purposes even when conducted together. Patients have dual rights: The right to explanation and human review exists under both GDPR and the EU AI Act, giving individuals complementary protections.