EU Proposes Extending GDPR for AI Bias Detection

- The proposal would allow the processing of "special categories of personal data" for bias detection in all AI systems, not just those deemed "high-risk." The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) have warned this could weaken a core safeguard in the GDPR by lowering the justification from "strictly necessary" to simply "necessary." - The EU AI Act classifies "high-risk" systems as those used in sensitive areas, including critical infrastructure, employment and worker management, credit scoring, and law enforcement. These systems must already adhere to strict obligations, including robust risk assessments, activity logging, and appropriate human oversight. - This proposal aligns with a broader shift from periodic checks to "continuous compliance," where AI models are monitored in real-time to manage risks like model drift and ensure ongoing fairness. Organizations that have adopted AI and automation for continuous compliance have saved an average of $1.88 million per data breach compared to those without. - The requirement for "explainability at the API level" involves designing systems that can provide clear, meaningful explanations for specific outputs, such as confidence scores or reason codes for a decision. This includes maintaining immutable logs to ensure that all automated decisions are traceable and auditable. - A central legal tension exists between the AI Act and GDPR; to detect and correct bias in an AI model, developers may need to process sensitive data related to ethnicity or gender, which the AI Act permits for high-risk systems, while the GDPR generally restricts such processing. - The implementation timeline for the AI Act's high-risk rules is currently under review, with a proposal to postpone full application from August 2026 to as late as August 2028 due to delays in harmonized standards. This creates legal uncertainty for developers and deployers of high-risk systems. - Under the GDPR, individuals have the right not to be subject to fully automated decisions that have significant legal effects, a rule that directly impacts agentic workflows in sectors like finance and human resources. - Fairness principles are embedded throughout the EU AI Act, which requires that high-risk systems use high-quality, representative training data to mitigate discriminatory outcomes. However, the Act does not provide a single, explicit article defining how fairness must be maintained, leaving a potential regulatory gap.