The European Commission has just clarified the interplay between these two major regulations. Immediate consequence: Your AI legal governance must evolve starting today.
⏱️ Key Timeline
• February 2, 2025: Direct application of AI Act Article 5 in Europe
• February 4, 2025: Publication of guidelines on AI Act/GDPR interplay
• February 6, 2025: Additional clarifications on the definition of “AI systems”
🔍 Three Critical Changes to Understand
📌 Mandatory Dual Compliance
AI systems processing personal data must now simultaneously comply with both GDPR and the AI Act.
Concrete example: A facial recognition system used for biometric identification must adhere to the prohibitions in AI Act Article 5 while also meeting GDPR requirements for lawfulness, purpose limitation, and data minimization.
📌 Differences in Territorial Scope
If your company is based outside the EU but deploys AI systems for European users, the AI Act will automatically apply, whereas the GDPR will only apply if you process personal data of individuals located within the EU.
📌 Complementary Prohibitions
Certain practices not explicitly banned under AI Act Article 5 (such as certain types of behavioral analysis) may still be unlawful under GDPR if they involve special categories of data without a proper legal basis.
⚖️ Scope and Key Exclusions
The guidelines clarify that Article 5 applies when an AI system is placed on the market, put into service, or used. The term “use” must be interpreted broadly, covering any system deployment at any point in its lifecycle, including any “particularly harmful and abusive” usage.
⚠️ Beware of Dual Roles:
If you develop your own AI system and then use it, you are classified as both a provider and a deployer, even if other entities also use your system.
The AI Act does not apply to:
- AI systems used exclusively for national security, defense, or military purposes
- R&D activities (as long as the system is not commercialized)
- Non-professional personal use
- Open-source AI systems (with exceptions)
📋 Corporate Legal Teams’ Action Plan
To immediately adapt your governance:
- Conduct a cross-inventory of all AI systems and their interactions with personal data
- Assess exclusion criteria to determine applicability to your systems
- Update your DPIA procedures to integrate AI Act-specific criteria
- Review contracts with AI solution providers
- Train product teams on this dual compliance from the design phase
💰 Financial Risks & Compliance
Non-compliance with the AI Act can result in fines of up to €35 million or 7% of global annual turnover, in addition to potential GDPR penalties. Robust governance is no longer optional.
The AI Act will be phased in based on system categories, but preparation must start now.
🗣️ Your Turn
Has your organization already established a cross-compliance matrix for the AI Act and GDPR? What challenges do you foresee in implementing this dual regulatory compliance?
