AI regulation: Germany is looking for the super supervisory authority

In Germany, the debate is gathering pace as to which government bodies could best enforce the new regulation for systems with artificial intelligence (AI) at a national level. The EU member states are to designate market surveillance authorities within twelve months.

The German Federal and State Data Protection Conference (DSK) believes it is predestined to take on this task. At a hearing in the Bundestag's Digital Committee on national leeway in the implementation of the AI Act, Robert Kilian from the German AI Association argued in favor of the Federal Network Agency and, in the medium term, a separate higher federal authority for digital matters. This is the only way to ensure a "uniform supervisory density".

AI professor: Supervision must not be left to data and consumer protectors

Kilian emphasized that the sectoral market surveillance authorities should also stay on the ball, for example Bafin should be responsible for AI systems in the financial sector. At the same time, he urged that the standardization committees should complete the technical standardization next summer if possible, so that companies can carry out the necessary conformity assessment for high-risk systems. Patrick Glauner, Professor of AI at Deggendorf Institute of Technology, also emphasized that supervision should not be left to data and consumer protection advocates. The EU requirements must be implemented in a cost-efficient and practical manner to be competitive. The Federal Agency for Skydiving Innovations (Sprind) should therefore play a key role in the selection of supervisory bodies. He considers the state hacker authority Zitis to be well suited for implementation in the security authorities.

Regulatory expert Lajla Fetic believes that the Federal Network Agency or the DSK are generally suitable for national supervision. However, as the AI Regulation is primarily a product safety law, she put a question mark over the data protection supervisory authorities. However, these could examine specific applications in the justice system, for example. In general, the supervisory authorities would have to have "brains" and be familiar not only with IT, but also with the protection of fundamental rights. The combination of a central authority with sectoral state authorities is not possible, said David Roth-Isigkeit, Professor of Digitalization Law at the University of Administrative Sciences Speyer. This would be an inadmissible "mixed administration". In a study for the Bertelsmann Foundation, other researchers from Speyer recommend transferring the new supervisory function to the Federal Network Agency, which is already responsible for the Digital Services Act (DSA), and "developing it into a more comprehensive digital authority". Its structure is most likely to ensure a balance between responsibility for innovation and openness.

"Citizens will otherwise become QR codes on two legs"

Lina Ehrig from the German Federation of Consumer Organizations (Verbraucherzentrale Bundesverband, vzbv) called for representatives of those affected to be included in the supervisory process and for a low-threshold complaints procedure to be created. A "frustrating ping-pong between authorities" must be avoided. An independent AI advisory board is important to support the inspectors. Systems for remote biometric identification, such as facial recognition in public spaces, should also be banned for private individuals.

Kilian Vieth-Ditlmann from the civil society organization AlgorithmWatch also advocated this. Otherwise, citizens would become "walking QR codes on two legs" and their anonymity, which is important for participating in demonstrations, would be undermined. An EU-wide transparency register for high-risk systems is also essential.

Nicole Büttner-Thiel from the German Start-ups Association warned that there should be no fragmentation between different supervisory authorities: "Now is a critical moment for the long-term ability to innovate." Oliver Suchy from the German Trade Union Confederation (DGB) advocated the mandatory establishment of company and social impact assessments depending on the focus of application and the introduction of an employee data protection law. Employees need to know "what, who and how" should actually be optimized with AI.

(are)