How Do the EU’s AI Act, ePrivacy Regulation, and Data Act Compare to the GDPR?

The EU has a suite of upcoming regulations that will impact companies operating in the digital sphere that could have an even bigger impact than the GDPR.


The EU has a suite of upcoming regulations that will impact companies operating in the digital sphere that could have an even bigger impact than the GDPR.

This article provides an overview of three important pieces of proposed EU legislation: the AI Act, the ePrivacy Regulation, and the Data Act, explaining what they are, how they compare to the GDPR, and when we can expect them to take effect.

AI Act

The AI Act (sometimes called the AI Regulation) is the EU’s approach to regulating artificial intelligence.

The AI Act has not yet been finalised, but the proposed law would:

  • Define “AI” broadly in an attempt to cover all models and use cases.
  • Take a risk-based approach to regulating AI according to its potential to cause harm.
  • Provide new transparency obligations for most types of AI systems.
  • Provide a self-certification process for developers of certain AI systems to demonstrate that their products are safe and compliant.
  • Ban the use of AI in certain unacceptably risky contexts.

How Does the AI Act Compare to the GDPR?

The AI Act and the GDPR interact and diverge in some important ways.

Both the GDPR and the AI Act arise out of Article 16 of the Treaty on the Functioning of the European Union (TFEU), which allows EU institutions to make rules about protecting personal data.

The GDPR already has a significant impact on the use and development of AI systems. This is because AI systems typically use a lot of personal data—both for model-training and decision-making purposes. 

The GDPR’s rules and principles will generally continue to apply to AI systems when personal data is involved. However, unlike the GDPR, the scope of the AI Act is not limited to personal data.

The GDPR governs “automated decision-making”—but only insofar as the decision-making does not involve any human intervention and has “legal or similarly significant effects” (e.g. AI-driven loan decisions). The AI Act’s rules on decision-making are likely to be broader.

The AI Act will also likely allow new uses of “special category data” (data about, for example, people’s ethnicity, sex life, or health) for certain purposes within AI systems, such as detecting and correcting bias.

When Will the AI Act Take Effect?

Before an EU act passes, the three main EU institutions (the Commission, the Council and the Parliament) must each produce a “common position” that sets out their preferred version of the legislation.

The European Commission goes first by publishing the text of its proposed legislation. The Commission published its proposed AI Act in April 2021.

The European Council adopted its position in December 2022.

On 27 April 2023, the various political groups within the European Parliament settled on a common position, which will likely go to a final vote in May.

According to Commissioner Margrethe Vestager, this progress means that the AI Act could pass later in 2023.

ePrivacy Regulation

The ePrivacy Regulation is a long-awaited update of the ePrivacy Directive, which passed in 2002. Among other things, the law will:

  • Regulate cookies, electronic marketing, and privacy in communications.
  • Explicitly cover “over-the-top (OTT)” communications services like WhatsApp, Facebook Messenger and Skype.
  • Clarify and amend the rules on cookie consent, including on mechanisms such as “cookie walls” and first-party analytics.
  • Clarify the scope of the EU’s privacy rules so that they are in line with the data protection rules under the GDPR (i.e., the ePrivacy Regulation will explicitly apply to organisations outside the EU under certain conditions).

How Does the ePrivacy Regulation Compare to the GDPR?

Like the current ePrivacy Directive, the ePrivacy Regulation will act as “lex specialis” to the GDPR, meaning that it takes precedence over the GDPR in certain areas.

For example, as under the present rules, the ePrivacy Regulation will specify which cookies require consent, while the standard of consent will come from the GDPR.

The ePrivacy Regulation will be broader than the GDPR in some respects. 

The GDPR only applies to communication involving personal data, whereas the ePrivacy Regulation will regulate privacy across all forms of electronic communication, regardless of whether personal data is involved.

When Will the ePrivacy Regulation Take Effect?

The long wait for progress on the ePrivacy Regulation has become something of a running joke among those observing the development of EU privacy legislation.

Commission first proposed its version of the ePrivacy Regulation in 2017. The Council and Parliament have both adopted positions on the final text.

The legislation has been repeatedly delayed as EU member states debate the rules on data retention and national security. 

The Rapporteur for the ePrivacy Regulation, MEP Birgit Sippel, recently called on the Swedish Council Presidency to return to the negotiating table and help the legislation progress.

Data Act

The Data Act concerns the EU’s rules on how organisations share and use both personal and non-personal data. Among other things, the Data Act will:

  • Require providers of connected devices to allow consumers to access the data produced by those devices.
  • Place rules on data-sharing contracts that attempt to rebalance power towards small to medium-sized enterprises (SMEs).
  • Enable public sector bodies to access data held by private sector organisations under certain conditions.
  • Create a framework enabling consumers to switch between data-processing service providers.

How Does the Data Act Compare to the GDPR?

There’s a lot of overlap between the Data Act and the GDPR. 

The Data Act refers to the GDPR in several areas that concern personal data. In some of those areas, the GDPR explicitly takes precedence over the Data Act. In others, the Data Act extends GDPR-like rules to cover non-personal data.

Much like the GDPR, the Data Act imposes restrictions on the international transfer of data—except that in the case of the Data Act, the restrictions apply to non-personal data.

The Data Act also incorporates some other GDPR-style concepts, including standard contractual clauses and the principles of fairness and data minimisation.

When Will the Data Act Take Effect?

The Commission proposed its version of the Data Act last February, with the Council following this February and the Parliament in March.

There will now be a period of negotiation between the Council and the Parliament, which could take anything from a few months to several years.

We hope this guide was helpful. Thank you for reading and we wish you the best of luck with improving your company’s privacy practices! Stay tuned for more helpful articles and tips about growing your business and earning trust through data-protection compliance. Test your company’s privacy practices, CLICK HERE to receive your instant privacy score now!