Table of Contents
Fetching ...

Towards An Automated AI Act FRIA Tool That Can Reuse GDPR's DPIA

Tytti Rintamaki, Harshvardhan J. Pandit

TL;DR

The paper treats the GDPR-based DPIA and the AI Act's FRIA as information-processing tasks, proposing that FRIA can leverage DPIA information and be implemented via an automated tool mandated by $Art.27-5$. It details the information requirements for both DPIA ($Art.35-7a$, $35-7c$, $35-7d$) and FRIA ($27-1$ series), and analyzes how DPIA can be used as either an ex-ante input or an ex-post concurrent input to FRIA ($Art.27-4$). It outlines a practical 5-stage FRIA process and an automated-tool architecture to support stages 1–5, including DPIA reuse at Stage 2 and notification at Stage 5, with potential interoperability through the Data Privacy Vocabulary ($DPV$). The work provides a methodological foundation for implementing automated FRIA tooling, aligning GDPR and AI Act obligations, aiding regulators and deployers, and guiding future formalization of machine-readable representations of DPIA/FRIA information for cross-use across use-cases.

Abstract

The AI Act introduces the obligation to conduct a Fundamental Rights Impact Assessment (FRIA), with the possibility to reuse a Data Protection Impact Assessment (DPIA), and requires the EU Commission to create of an automated tool to support the FRIA process. In this article, we provide our novel exploration of the DPIA and FRIA as information processes to enable the creation of automated tools. We first investigate the information involved in DPIA and FRIA, and then use this to align the two to state where a DPIA can be reused in a FRIA. We then present the FRIA as a 5-step process and discuss the role of an automated tool for each step. Our work provides the necessary foundation for creating and managing information for FRIA and supporting it through an automated tool as required by the AI Act.

Towards An Automated AI Act FRIA Tool That Can Reuse GDPR's DPIA

TL;DR

The paper treats the GDPR-based DPIA and the AI Act's FRIA as information-processing tasks, proposing that FRIA can leverage DPIA information and be implemented via an automated tool mandated by . It details the information requirements for both DPIA (, , ) and FRIA ( series), and analyzes how DPIA can be used as either an ex-ante input or an ex-post concurrent input to FRIA (). It outlines a practical 5-stage FRIA process and an automated-tool architecture to support stages 1–5, including DPIA reuse at Stage 2 and notification at Stage 5, with potential interoperability through the Data Privacy Vocabulary (). The work provides a methodological foundation for implementing automated FRIA tooling, aligning GDPR and AI Act obligations, aiding regulators and deployers, and guiding future formalization of machine-readable representations of DPIA/FRIA information for cross-use across use-cases.

Abstract

The AI Act introduces the obligation to conduct a Fundamental Rights Impact Assessment (FRIA), with the possibility to reuse a Data Protection Impact Assessment (DPIA), and requires the EU Commission to create of an automated tool to support the FRIA process. In this article, we provide our novel exploration of the DPIA and FRIA as information processes to enable the creation of automated tools. We first investigate the information involved in DPIA and FRIA, and then use this to align the two to state where a DPIA can be reused in a FRIA. We then present the FRIA as a 5-step process and discuss the role of an automated tool for each step. Our work provides the necessary foundation for creating and managing information for FRIA and supporting it through an automated tool as required by the AI Act.
Paper Structure (17 sections)