Is European Data Protection Toxic for Innovative AI? An Estonian Perspective

Abstract

The General Data Protection Regulation (GDPR) is, together with its seven principles, designed to function as the cornerstone of data protection in the European Union. Although the GDPR was meant to keep up with technological and socioeconomic changes while guaranteeing fundamental rights, its unclear wording with regard to the use of artificial intelligence (AI) systems has led to uncertainty. Therefore, the development and application of ever new AI systems raises various, as yet unresolved questions. Moreover, the complexity of legal requirements poses the risk of inhibiting AI innovation in the European Union. On the other hand, the GDPR gives Member States certain leeway to regulate data processing by public authorities. Therefore, data protection requirements for AI systems in public administration must be assessed under both the GDPR and national law. Against this backdrop, the article aims to guide the reader through the relevant data-protection rules applicable to AI systems in both the EU and in Estonia.