Artificial intelligence in itself may not pose a threat to fundamental rights, but without a timely and adequate regulatory response, it can become a factor of systemic risk. Therefore, compliance with the European Union's General Data Protection Regulation (GDPR), its upgrade in line with the Artificial Intelligence (AI) Act, and active participation in regional and European initiatives is the only sustainable path to preserving citizens' rights and trust in the digital society.
This, among other things, he told "Vijesti": Muhammad Gjokaj from the Agency for Personal Data Protection and Free Access to Information (AZLP), also the former president of the Agency's Council and one of the candidates for judge of the Constitutional Court.
GDPR is the most important regulatory instrument of the European Union (EU) in the field of personal data protection.
Its adoption, Gjokaj explains, marked a turning point in the way personal data is processed, protected and monitored. However, he adds, the rapid development of AI, especially systems based on machine learning and generative models, raises serious questions about the GDPR's ability to adequately respond to modern technological challenges.
"While the GDPR remains a strong normative foundation, it is clear that it was not designed to respond to the complexity and dynamics of modern artificial intelligence systems," he says.
GDPR, Gjokaj adds, was conceived in the context of relatively predictable and static data processing systems, in which the purpose of processing, legal basis, method of data processing, transparency and responsible entities, i.e. data controllers and users, were clearly defined.
In contrast, according to him, modern AI systems function through continuous learning, processing of large and heterogeneous data sets, and statistical inference, which is often not fully transparent even to their creators.
“Such a difference in conceptual approach leads to a normative gap between the existing legal framework and technological reality,” said Gjokaj.
According to him, a particular challenge is the automatic data processing used in automated decision-making systems.
"Although the GDPR provides protection to individuals from exclusively automated decisions that produce legal or similarly significant consequences, this provision does not cover a wide range of modern AI practices that, even without formal legal effect, have a profound impact on the rights, opportunities and social position of individuals, especially in intruding on their privacy through various ways of data processing through personality profiling," says the interlocutor of "Vijesti".
Algorithmic profiling, ranking, recommendation, and predictive analysis, Gjokaj adds, are increasingly shaping the approach in public life from companies that use modern tools in employment, education, financial and other services and information.
"This further blurs the line between consequences and formal legal decisions, or rather, remains unclear," said Gjokaj.
One of the most sensitive issues, he adds, relates to the processing of personal data for the purpose of training AI systems.
GDPR, he explains, is based on the principles of lawfulness, purpose limitation, data minimization, and retention time limitation, while artificial intelligence requires massive amounts of data, multiple and often secondary processing purposes, as well as long-term use of information that remains embedded in the models themselves.
"In practice, so-called synthetic data, which are generated algorithmically based on real data sets, are increasingly being used. Although synthetic data is formally presented as a safer alternative, modern algorithms allow it to match or highly correlate with real personal data in certain cases, which creates a real risk of indirect identification and violation of personal rights," said Gjokaj.
Such situations, he said, further confirm that traditional concepts of anonymization and pseudonymization are becoming insufficient in the era of advanced artificial intelligence.
"Montenegro has not yet adopted a new Law on the Protection of Personal Data fully compliant with the GDPR, which further complicates the response to modern challenges in the field of data protection, especially in a situation where AI is increasingly used in the public and private sectors," said Gjokaj.
There are no limits to data.
The need for harmonization of national legislation, according to him, does not only refer to the formal adoption of GDPR standards, but also to their upgrading in line with the latest technological developments.
"Especially in the area of data processing for the purposes of training AI systems and managing the risks that arise from that. The cross-border nature of data processing adds additional complexity to this issue," said the interlocutor of "Vijesti".
As an illustrative example, he cites the use of personal data from the Facebook social network of citizens of the Western Balkans for the purpose of training artificial intelligence systems.
“Such practices clearly demonstrate that the protection of personal data can no longer be solely a national issue,” he said.
In this sense, adds Gjokaj, the AZLP initiative is significant, which initiated the formation of a working group for joint action with the Personal Data Protection Agency of Bosnia and Herzegovina, the Commissioner for Information of Public Importance and Personal Data Protection of the Republic of Serbia, and the Personal Data Protection Agency of North Macedonia.
"The goal of this regional approach is to strengthen institutional cooperation and protect the rights of citizens whose personal data are subject to increased processing in the context of the development and application of artificial intelligence," said Gjokaj.
Adopt laws as soon as possible
The "Vijesti" interlocutor adds that the EU is aware of the limitations of the existing regulatory frameworks, so by adopting the Artificial Intelligence Act, it has begun a process of normative upgrading and harmonization aimed at establishing a balance between technological development and the protection of fundamental rights, i.e. the protection of citizens' personal data.
The AI Act, however, does not replace the GDPR, but rather supplements it, Gjokaj said, and introduces a risk-based approach, strict obligations for high-risk AI systems, and a ban on certain unacceptable practices.
"This regulatory model clearly indicates the direction in which candidate countries for EU membership should move, including Montenegro," he said.
In this regard, he adds, it is necessary to urgently adopt a new law on personal data protection, which will be fully compliant with the GDPR, strengthen the capacities of the supervisory authority, and pay special attention to mandatory data protection impact assessments for AI systems, introducing continuous monitoring of high-risk systems that process personal data, as well as strengthening regional and international cooperation in the field of data protection.
"As a member of the working group for the drafting of the Law on the Protection of Personal Data in line with the GDPR and the working group for the drafting of the Law on the Protection of Personal Data Processed by Competent Authorities, I believe that it is of crucial importance that these laws are adopted as soon as possible," said Gjokaj.
At the same time, he adds, it is necessary to consider integrating specific normative elements related to AI, in order to timely adapt the national legal framework to modern technological realities and regulatory trends in the EU.
"The future of personal data protection in Montenegro, as well as in the wider European space, will depend on the ability of the legal system to develop in parallel with technology," says the interlocutor of "Vijesti".
Bonus video:
