A view from Brussels: A sneak peek into upcoming guidelines on GDPR, AI Act interplay

Not a day goes by where the conversation is less about how to do privacy or artificial intelligence governance and more about how they intersect with one another. When thinking about the AI Act's interplay with the EU General Data Protection Regulation, one could think about their different philosophies — one rooted in fundamental rights and the other in product safety — which inherently create different approaches. Alternatively, the two share a risk-based approach that leverages privacy programs. 

Of course, the conversation is a lot more granular, complex and tangible. 

The first hurdle: The AI Act is not fully implemented yet. Just this week, the European Parliament approved the Omnibus on AI that will introduce several changes to the original text and delay the application of some provisions.  

In this confusing era, many stakeholders are looking at the forthcoming joint guidelines of the European Commission and European Data Protection Board to help them navigate the interplay and simplify the implementation of the GDPR and AI Act. A first version of the draft guidelines could come soon; the final version could be adopted by the end of the year. 

During the IAPP's AI Governance Global Europe 2026 conference in Dublin, Ireland, EDPB Legal Officer Gintarė Pažereckaitė said the joint guidelines will look at how the data protection question arises in the context of its interplay with areas such as transparency, risk assessments, bias detection and accountability. The joint guidelines would be a generic but operational document and include concrete examples.

While the GDPR and AI Act differ in many ways, they converge on transparency. "Meeting transparency requirements under the AI Act can help meet some requirements under the GDPR for general accountability," Pažereckaitė said, hinting at how the EDPB is thinking through these issues of overlap. 

Blackboard's Compliance, Trustworthy AI and Global Privacy Officer Stephan Geering, CIPP/E, CIPP/US, noted, though, that transparency serves different objectives under the GDPR and AI Act. Under the former, it is meant to allow the exercise of subject rights while transparency in the AI context can help build trust in technology. 

The joint guidelines will also cover the differences in risk assessments. Data protection impact assessments under the GDPR are more horizontal, whereas fundamental rights impact assessments under the AI Act will be about specific cases. 

The EDPB conveyed that the upcoming guidelines should recognize that difference and could determine that operators will be able to cover both FRIAs and DPIAs in one document. "If one needs a fundamental rights impact assessment, most likely you need a data protection impact assessment, but the reverse isn't necessarily true," nuanced Pažereckaitė. 

Bias detection was also discussed as a tricky area of interplay between the AI Act and GDPR. The EDPB is bound by the GDPR, restricting processing of sensitive data under strict conditions, but it recognizes the importance of bias detection in the AI context. 

Even as the newly baked Omnibus on AI expands the possibility to process personal data with proper safeguards, when "strictly necessary" to detect and correct biases in both high-risk and non-high-risk AI systems, Geering noted that "the balance isn't quite right yet."

That sentence feels like it best describes the era of our profession.