On October 15, the Ministry of Digital Affairs presented a draft law on the "Commission for the Development and Security of Artificial Intelligence," misleadingly titled the "Artificial Intelligence Systems Act." The ambiguity of the legislator's objectives is evident not only in the title but also in the name of the institution the Ministry aims to establish. The Commission, by its name, appears tasked with both developing artificial intelligence (AI) systems and ensuring their security – reminiscent of the fictional "League of Women" from the iconic Polish comedy movie "Sexmission", whose motto was, "The League rules, the League advises, the League never betrays."
The creation of a new governmental body is always a monumental event, justifying years of ceremonial festivities, a convenient alternative to substantive work. New positions emerge, often reserved for politically connected individuals. For its first few years, a new organization can focus on self-organization—learning office layouts, and remembering colleagues' names—rather than its designated purpose. Yet despite these "advantages," the idea of forming a new collegial body is a poor substitute for expanding the competencies of an existing institution.
Artificial intelligence systems process data, and we already have a data authority: the Personal Data Protection Office (PUODO). Moreover, a significant portion of data processed by AI systems constitutes personal data, which falls squarely under PUODO's jurisdiction. Let us return to the root of this issue.
The Legal Framework: The EU Artificial Intelligence Act
The need for national AI regulations stems from the European Union's Artificial Intelligence Act (AIA). Under Article 70(1) of the AIA, member states must designate at least one independent market surveillance authority. The Polish draft law proposes a twelve-member "Commission for the Development and Security of Artificial Intelligence," consisting of a Chairperson, two Deputy Chairpersons, and nine members. Intriguingly, the draft law clarifies that the Chairperson is *not* a Commission member.
The appointment process further raises concerns about independence. The Chairperson and deputies are chosen by the Prime Minister, while the nine members are appointed individually by various officials, including the Minister of Digital Affairs, the President of PUODO, and others. Most appointees must juggle these duties alongside their primary jobs with no extra remuneration, and the draft imposes no expertise requirements for these roles.
Overlapping Responsibilities
The Commission is envisioned as a supervisory body tasked with monitoring, interrogating, and penalizing entities using or marketing AI systems domestically. However, its scope overlaps significantly with PUODO's, especially regarding AI systems that process personal data. The AIA itself emphasizes that AI regulation should not conflict with the General Data Protection Regulation (GDPR).
Expanding PUODO's competencies to include AI oversight offers clear advantages:
- Continuity and Expertise: PUODO already handles automated decision-making and data-related risks under GDPR. It also manages cases involving AI systems in Poland, supported by a dedicated team of experts.
- Cost Efficiency: Strengthening an existing institution avoids the redundancy of creating new structures, hiring staff, and duplicating processes.
- Streamlined Oversight: A single authority reduces the risk of conflicting interpretations and parallel proceedings, benefiting both the market and legal clarity.
Risks of a Separate AI Commission
A dual oversight system introduces unnecessary complexities:
- Fragmented Accountability: PUODO's singular leadership ensures clear responsibility, whereas a collegial body diffuses accountability.
- Inefficient Appeals: Conflicting decisions by PUODO and the AI Commission would force businesses into protracted legal battles, undermining regulatory clarity.
- Market Confusion: Global players could exploit discrepancies between authorities, while smaller domestic entities bear the brunt of compliance costs.
Conclusion
AI systems process data; we already have a "surgeon" for data—PUODO. Creating a second supervisory body with overlapping duties, questionable independence, and diffuse accountability only complicates matters. As a wakeboarding champion once advised regarding knee injuries: "Go to the same surgeon every time. Let them learn." For Poland, PUODO is that surgeon for data. Let's avoid splitting responsibilities and stick to proven expertise.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.