Certified Information Privacy Professional (CIPP): EU - EU Artificial Intelligence Act and its Privacy Implications

CIPP/E?Study Guide – EU Artificial Intelligence Act (AI?Act) & Its Privacy Implications

What This Is

The EU Artificial Intelligence Act (AI?Act) is the first comprehensive, risk?based regulatory framework for AI systems placed on the EU market or used within the EU. It classifies AI into “unacceptable,” “high?risk,” and “limited?risk” tiers and imposes obligations such as conformity assessments, transparency notices, and post?market monitoring. For privacy professionals, the AI?Act matters because high?risk AI systems that process personal data must also meet GDPR requirements, meaning you may need to conduct DPIAs, appoint a “AI?compliant” data protection officer, and embed privacy safeguards directly into the AI lifecycle.

Real?world scenario: A multinational e?commerce platform deploys an AI?driven recommendation engine that profiles EU shoppers to personalize product offers. The system processes location, browsing history, and purchase data. Because the AI is classified as “high?risk” (its output influences consumer behavior), the company must comply with both the AI?Act (transparency, conformity assessment) and GDPR (lawful basis, DPIA, data subject rights).

Key Terms & Provisions

• Artificial Intelligence Act (AI?Act) – EU regulation (COM/2021/206 final) establishing a risk?based regime for AI systems placed on the EU market.
• High?risk AI system – AI that (i) is used in safety?critical sectors (e.g., transport, health) or (ii) creates “significant” effects on individuals (e.g., biometric identification, credit scoring). Requires conformity assessment, CE marking, and a Technical Documentation file.
• Unacceptable AI – AI practices expressly prohibited (e.g., real?time remote biometric identification in public spaces, social scoring by governments).
• Limited?risk AI – AI with minimal impact; only a transparency obligation (e.g., chatbots must disclose they are AI).
• Conformity Assessment – The process (self?assessment or notified body review) that demonstrates a high?risk AI system meets the AI?Act’s safety, transparency, and data governance requirements.
• Post?Market Monitoring – Ongoing obligation for high?risk AI providers to collect performance data, report incidents, and update the system to mitigate new risks.
• Data Protection Impact Assessment (DPIA) – GDPR Art.?35 assessment required when high?risk AI processing is likely to result in a high risk to the rights and freedoms of data subjects (e.g., automated decision?making with legal or similarly significant effects).
• AI?specific “Transparency Notice” – Under the AI?Act, providers must give data subjects clear information (purpose, logic, significance, and expected consequences) before the AI system interacts with them.
• “Human?in?the?Loop” (HITL) requirement – For many high?risk AI systems, the AI?Act mandates that a natural person can intervene, override, or stop the AI’s decision.
• CE Marking for AI – Symbol indicating conformity with the AI?Act; required before a high?risk AI system can be placed on the EU market.
• Joint Controllers – When multiple entities jointly determine the purposes and means of AI?driven processing, they must allocate responsibilities under GDPR Art.?26 and reflect this in the AI?Act’s technical documentation.

Step?by?Step Process Flow (Applying the AI?Act & GDPR)

1. Identify the AI system & its scope – Catalog every AI model, its inputs, outputs, and the EU?resident data it processes.
2. Classify the risk level – Use the AI?Act Annex?III criteria (e.g., biometric ID, credit scoring) to determine if the system is “unacceptable,” “high?risk,” or “limited?risk.”
3. Conduct a DPIA (if high?risk) – Follow GDPR Art.?35: map data flows, assess necessity/proportionality, evaluate residual risks, and document mitigation measures.
4. Prepare AI?Act Technical Documentation – Include system description, data governance, risk management, conformity assessment results, and HITL procedures.
5. Perform Conformity Assessment & CE Marking – For high?risk AI, either self?assess (if allowed) or engage a notified body; attach the CE mark to the product/service.
6. Implement Transparency & Human?Oversight Controls – Publish the AI?specific notice, embed HITL interfaces, and set up post?market monitoring (incident logs, periodic reviews).

Common Mistakes

CIPP Exam Insights

1. Scope Traps – The exam often asks whether the AI?Act applies to a SaaS provider with no EU office. Remember: territorial scope is based on “placing on the market” or “use in the EU,” not physical presence.
2. Overlap with GDPR – Expect a question contrasting “AI?Act transparency notice” vs. “GDPR information?to?data?subjects”. The AI?Act adds purpose?specific AI logic details; GDPR adds legal basis and rights information.
3. Risk?Based Classification – You may be given a list of AI use?cases and asked to label each as “unacceptable,” “high?risk,” or “limited?risk.” Memorise the four prohibited practices (e.g., real?time biometric ID in public spaces).
4. Conformity Assessment Pathways – Know the difference between self?assessment (allowed for certain high?risk AI) and notified?body assessment (required for AI affecting safety of persons).

Quick Check Questions

1. Scenario: A German health?tech startup uses an AI?driven diagnostic tool that analyses patient MRI scans. The tool is sold to hospitals across the EU.
   Question: Which obligations does the startup have under the AI?Act?
   Answer: Because the tool is a high?risk AI system (medical device, safety?critical), the startup must (i) conduct a conformity assessment (likely via a notified body), (ii) obtain CE marking, (iii) prepare technical documentation, (iv) implement post?market monitoring, and (v) ensure a GDPR?compliant DPIA.

2. Scenario: An EU?based e?commerce site embeds a chatbot that suggests products. The chatbot does not store personal data.
   Question: Does the AI?Act require a transparency notice?
   Answer: Yes – even though the chatbot is limited?risk, the AI?Act mandates a simple notice informing users they are interacting with an AI system.

3. Scenario: A US?based AI vendor supplies a facial?recognition system to a French airport. The system performs real?time identification in a public terminal.
   Question: Can the airport legally use this system under the AI?Act?
   Answer: No – real?time remote biometric identification in public spaces is an unacceptable AI practice prohibited by the AI?Act, unless a specific derogation applies (e.g., law?enforcement with a national law).

Last?Minute Cram Sheet (10 One?Liners)

1. AI?Act?(2021/0106) – “Risk?Based” – Unacceptable, high?risk, limited?risk tiers; only high?risk needs CE marking.
2. Territorial scope – Applies to any AI system placed on the EU market or used in the EU, regardless of the provider’s location.
3. High?risk AI-Conformity Assessment – Either self?assessment (if allowed) or notified?body review; must result in a CE mark.
4. Unacceptable AI – Includes (a) real?time remote biometric ID in public spaces, (b) social scoring by governments, (c) subliminal manipulation, (d) exploitative AI.
5. Transparency Notice – Must disclose: purpose, logic, significance, and expected consequences before the AI interacts with a data subject.
6. DPIA Trigger – Any high?risk AI that processes personal data and produces legal or similarly significant effects-GDPR Art.?35 required.
7. Post?Market Monitoring – Mandatory for high?risk AI; includes incident reporting to the national competent authority within 48?hours of a serious incident.
8. Human?in?the?Loop (HITL) – Required for high?risk AI that makes decisions affecting individuals (e.g., credit scoring, recruitment).
9. Joint Controllers – When multiple parties decide AI purposes/methods, they must allocate GDPR responsibilities (Art.?26) and reflect this in the AI?Act technical file.
10. Fine ceiling – AI?Act penalties align with GDPR: up to €30?million or 6?% of global turnover for the most serious breaches (e.g., deploying prohibited AI).

Good luck – you’ve got the core concepts, the exam traps, and the practical steps to ace the AI?Act portion of the CIPP/E!