In an era of increasingly powerful AI systems, the question arises as to whether artificial intelligence might render the role of the data protection officer obsolete. After all, at least at first glance, it appears to be a suitable advisory tool for data protection issues and even seems capable of training employees on the handling of personal data.
However, the response of the law is unequivocal: The GDPR requires that the appointment of the data protection officer must be made “on the basis of professional qualifications and, in particular, expertise in the field of data protection law and data protection practices.” This, together with the specific wording of art. 38 (“to maintain his or her expert knowledge”), implies that the expertise of a natural person is required.
Even aside from the clear wording of the GDPR, the AI Act imposes strict documentation and monitoring obligations in the theoretical case of deploying an autonomous “AI DPO”. In the end, such an AI system would in turn be subject to the requirement for human oversight, meaning that the role of the data protection officer could not be eliminated, after all.
In general, it can be said that an AI tool certainly has the potential to make the data protection officer’s work more effective. However, human oversight remains indispensable, both legally and in practice.
An AI tool cannot, therefore, be used to circumvent the obligation to appoint a data protection officer. In the end, fines can be (and have already been) imposed for non-compliance.
Dr. Lukas Mezger (Unverzagt Law)