ARTICLE
9 January 2025

"Times Change, But You Are Always On Committees" – Why The Personal Data Protection Office (PUODO) Should Oversee Data And Artificial Intelligence, Not The Ministry Of Digital Affairs' Self-Appointed Supervisor

GP
GP Partners

Contributor

We are a forward-thinking law firm, blending creativity and logic to address the complex intersection of business and technology. As rapid advancements in AI and digital innovation reshape industries, we provide strategic legal solutions to protect our clients’ businesses and assets.

Inspired by the visionary ideas of Stanislaw Lem’s The Cyberiad, we navigate the ever-evolving digital landscape, where yesterday’s science fiction has become today’s reality. Our team excels at untangling the intricate web of technology and regulation, ensuring compliance and safeguarding our clients' interests.

With resilience and precision, we serve as trusted advocates for businesses in Poland and beyond, adapting to the unstoppable pace of change. Whether tackling challenges posed by new technologies or ensuring financial security in a digital world, we are dedicated to delivering results that meet the demands of the future.

On October 15, the Ministry of Digital Affairs presented a draft law on the "Commission for the Development and Security of Artificial Intelligence," misleadingly titled the "Artificial Intelligence
Poland Technology

On October 15, the Ministry of Digital Affairs presented a draft law on the "Commission for the Development and Security of Artificial Intelligence," misleadingly titled the "Artificial Intelligence Systems Act." The ambiguity of the legislator's objectives is evident not only in the title but also in the name of the institution the Ministry aims to establish. The Commission, by its name, appears tasked with both developing artificial intelligence (AI) systems and ensuring their security – reminiscent of the fictional "League of Women" from the iconic Polish comedy movie "Sexmission", whose motto was, "The League rules, the League advises, the League never betrays."

The creation of a new governmental body is always a monumental event, justifying years of ceremonial festivities, a convenient alternative to substantive work. New positions emerge, often reserved for politically connected individuals. For its first few years, a new organization can focus on self-organization—learning office layouts, and remembering colleagues' names—rather than its designated purpose. Yet despite these "advantages," the idea of forming a new collegial body is a poor substitute for expanding the competencies of an existing institution.

Artificial intelligence systems process data, and we already have a data authority: the Personal Data Protection Office (PUODO). Moreover, a significant portion of data processed by AI systems constitutes personal data, which falls squarely under PUODO's jurisdiction. Let us return to the root of this issue.

The Legal Framework: The EU Artificial Intelligence Act

The need for national AI regulations stems from the European Union's Artificial Intelligence Act (AIA). Under Article 70(1) of the AIA, member states must designate at least one independent market surveillance authority. The Polish draft law proposes a twelve-member "Commission for the Development and Security of Artificial Intelligence," consisting of a Chairperson, two Deputy Chairpersons, and nine members. Intriguingly, the draft law clarifies that the Chairperson is *not* a Commission member.

The appointment process further raises concerns about independence. The Chairperson and deputies are chosen by the Prime Minister, while the nine members are appointed individually by various officials, including the Minister of Digital Affairs, the President of PUODO, and others. Most appointees must juggle these duties alongside their primary jobs with no extra remuneration, and the draft imposes no expertise requirements for these roles.

Overlapping Responsibilities

The Commission is envisioned as a supervisory body tasked with monitoring, interrogating, and penalizing entities using or marketing AI systems domestically. However, its scope overlaps significantly with PUODO's, especially regarding AI systems that process personal data. The AIA itself emphasizes that AI regulation should not conflict with the General Data Protection Regulation (GDPR).

Expanding PUODO's competencies to include AI oversight offers clear advantages:

  1. Continuity and Expertise: PUODO already handles automated decision-making and data-related risks under GDPR. It also manages cases involving AI systems in Poland, supported by a dedicated team of experts.
  2. Cost Efficiency: Strengthening an existing institution avoids the redundancy of creating new structures, hiring staff, and duplicating processes.
  3. Streamlined Oversight: A single authority reduces the risk of conflicting interpretations and parallel proceedings, benefiting both the market and legal clarity.

Risks of a Separate AI Commission

A dual oversight system introduces unnecessary complexities:

  1. Fragmented Accountability: PUODO's singular leadership ensures clear responsibility, whereas a collegial body diffuses accountability.
  2. Inefficient Appeals: Conflicting decisions by PUODO and the AI Commission would force businesses into protracted legal battles, undermining regulatory clarity.
  3. Market Confusion: Global players could exploit discrepancies between authorities, while smaller domestic entities bear the brunt of compliance costs.

Conclusion

AI systems process data; we already have a "surgeon" for data—PUODO. Creating a second supervisory body with overlapping duties, questionable independence, and diffuse accountability only complicates matters. As a wakeboarding champion once advised regarding knee injuries: "Go to the same surgeon every time. Let them learn." For Poland, PUODO is that surgeon for data. Let's avoid splitting responsibilities and stick to proven expertise.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More