Compliance by Design in AI Systems – Towards Compliance with Data Protection Regulation, The AI Act, and Cybersecurity Regulations in AI System Development and Deployment

Abstract

<p>"Without prejudice to" is a term frequently used in EU technology regulations. Regulation 2024/1689 (The Artificial Intelligence (AI) Act) is "without prejudice to" the General Data Protection Regulation (GDPR), and recent cybersecurity regulations such as the Network and Information Security (NIS) 2 Directive and the Cyber Resilience Act (CRA) are without prejudice to both the GDPR and the AI Act. However, in situations where these regulations and directives enter into effect simultaneously, compliance with these rule sets would entail prioritising different design choices in technological solutions. These choices would, to a varying degree, enhance or diminish the end goals of the different applicable rule sets. This thesis explores the research question of whether it is possible to develop a <i>compliance by design</i> approach to processing personal data in AI systems compliant with the requirements of the GDPR, the AI Act, and specific relevant cybersecurity regulations. <p>The thesis examines the research question through several sub-research questions. The approach examines whether compliance with the identified legal requirements could be achieved through alterations to the methodologies applied when developing and maintaining developed AI systems. Thus, the first sub-research question examines the main methods and methodologies utilised for developing AI systems and managing their lifecycle post-deployment. After such an examination, relevant legal requirements are analysed during the different phases of the lifecycle of an AI system: data collection and model training, deployment, and when finished AI models are fine-tuned on AI-as-a-service (AIaaS) platforms. <p>The thesis identifies that one methodology frequently applied to developing and maintaining AI systems, Machine Learning Operations (MLOps), has the potential to implement and embed several relevant legal requirements including, but not limited to, the principle of accuracy in the GDPR, the requirement for accuracy under the AI Act, the right to receive meaningful information about the logic involved in automated decision making, and the purpose limitation principle. MLOps is a concept without a clear authoritative definition. However, the methodology includes automatic, semiautomatic, and manual processes for regularly training AI models across the development and deployment phases. <p>Moreover, the thesis also addresses the question of how to achieve compliance with different rule sets that enter into effect at the same time. Based on the findings of the legal and technical examinations, <i>proportionality by design</i>, based on the principle of proportionality, is developed as a framework providing an overview, an interpretative source, and a basis for best practices for AI development and use.