If an algorithm makes a consequential decision about you, the GDPR's default position is that it cannot do so entirely on its own - no matter whether it qualifies as an "AI system" under the EU AI Act. That default is stronger than anything the AI Act offers.
Why the AI Act's Gatekeeping Falls Short
The EU AI Act was designed to address AI-specific harms, but its definitions of "AI system" and "general-purpose AI model" are either open to interpretation or subject to change. Many algorithm-based technologies don't clearly meet those definitions. That creates a gating issue: enforcers and individuals must first argue the technology is AI before any remedy applies. The GDPR sidesteps that entirely. As a tech-agnostic law, it covers all personal data processing, regardless of how the processing technology is labelled.
The Built-In Ban on Fully Automated Decisions
Article 22 of the GDPR prohibits decisions based solely on automated processing when those decisions produce legal effects or similarly significantly affect the data subject. Three exceptions exist - explicit consent, contract necessity, or authorization by EU or national law with adequate safeguards. But even when an exception applies, the GDPR mandates human intervention, the right to be heard, and the right to contest the decision. The Court of Justice of the European Union recently recognized a further right: disclosure of meaningful information about the logic involved in a solely automated decision. That's the right to an explanation, and it opens a direct avenue for informed contestation.
How the AI Act's Explanation Right Compares
The AI Act creates its own right to explanation, but only when an individual is adversely impacted by a decision based on the output of an AI system in a specific high-risk use case listed in Annex III. The AI Act version has one advantage: it doesn't require the decision to be solely automated, so it catches cases where a human in the loop is ornamental. But it limits the right to a finite set of high-risk deployments, and there is no proactive notification requirement - outside workplace settings - to tell people a high-risk system is active. At the time of writing, the European Commission is still drafting guidelines on exactly which systems count as high-risk.
Scholars note a "hydraulic" relationship between the two rights: the stronger the interpretation of the GDPR's explanation right, the narrower the AI Act's version becomes, because the AI Act says it applies only where not otherwise provided under EU law. The interplay is not yet settled, and how courts resolve it will determine whether individuals actually get useful explanations or just more legal uncertainty wrapped in two overlapping frameworks.
Source: Potential Avenues for Redress for AI-related Harms under the GDPR: A Visual Explanation
Domain: cdt.org
Comments load interactively on the live page.