Poland’s decision to establish the Artificial Intelligence Development and Security Commission as an integrated supervisory body has sparked significant debate regarding inter-agency collaboration and regulatory clarity. This new entity, designed to pool the expertise of existing regulators, was conceived as a means to streamline AI governance and mitigate regulatory fragmentation. However, the exclusion of the Polish Data Protection Authority (DPA)—Urząd Ochrony Danych Osobowych—raises critical questions about jurisdiction, legal precedence, and the practicalities of such a collegial oversight framework.
From a legal perspective, the primary concern revolves around the potential overlap between European Union data protection rules, most notably the General Data Protection Regulation (GDPR), and the emerging regulatory framework for AI at both the national and EU levels. GDPR, enacted in 2018, grants exclusive oversight of personal data processing to national DPAs, which means that ensuring compatibility with AI governance mechanisms is both essential and complex. The Polish DPA, emphasizing its GDPR-backed competences, argued for a permanent independent advisory role. The Polish government’s draft AI law, however, excluded the DPA entirely, leaving unresolved the issue of avoiding investigative duplication when AI applications involve personal data processing. This is particularly consequential given the European Commission’s ongoing work toward the EU Artificial Intelligence Act, aimed at setting harmonized and binding rules for AI across member states.
Ethically, the situation highlights a fundamental trade-off: while integrated supervisory bodies may enhance efficiency and reduce regulatory silos, neglecting key stakeholders—like the data privacy watchdog—could undermine public trust in AI oversight. Data protection and AI governance intersect heavily when AI systems process sensitive data, yet omitting DPAs from decision-making threatens the checks and balances crucial to protecting fundamental rights. For instance, an AI-powered hiring tool that scans résumés for recruitment may involve both compliance with data protection laws and assessments of algorithmic fairness. Without close collaboration, such cases could fall through the cracks of poorly coordinated oversight.
Industry implications are equally significant. Businesses operating in Poland worry that fragmented jurisdictional boundaries may result in conflicting guidance or duplicated fines. For example, a developer of an AI tool used in financial services might face investigations under separate AI and data protection frameworks, with no clear resolution mechanism if regulators disagree. Conversely, better-integrated bodies could provide a one-stop regulatory checkpoint, reducing compliance costs. The current uncertainty may discourage innovation, as companies hesitate to release technology in the absence of clear, predictable governance.
In conclusion, the Polish government’s approach to AI regulation—while ambitious—exemplifies the challenges of marrying cross-sectoral supervision with specialized expertise. To ensure effective oversight, Poland must strike a balance between integration and inclusivity. Aligning DPA involvement with the Commission’s mandate would not only ensure compliance with EU law but also reinforce public confidence and industrial clarity in the governance of AI technologies.