A brief EU regulation with a big impact: How four simple rules can restore digital freedom to SMEs and consumers, thereby gently enhancing legal certainty, compliance, and legal protection in the field of data protection and AI regulation.
An article by Tom Braegelmann, Berlin
Many consumers, self-employed individuals, and small and medium-sized enterprises (SMEs) are uncertain about data protection and artificial intelligence (AI). The situation is actually quite straightforward: The EU has good intentions, aiming primarily to regulate tech giants and real systemic risks effectively. However, the laws are written in such a complicated fashion that even experts sometimes struggle to understand what is permitted, for whom these obligations apply, and how strictly they must be followed. As a result, many choose to avoid using useful technologies altogether rather than risk legal trouble, even when they are fully entitled to use these technologies.
Consequently, (solo) self-employed individuals, freelancers, and small businesses – especially those that actually value data protection and business confidentiality – find themselves in a dilemma: They want to use AI tools like chatbots for their online offerings or leverage AI for writing, information analysis, and processing. Yet, the opaque legal landscape and the threat of penalties under the General Data Protection Regulation (GDPR) or the newly implemented, increasingly enforced Artificial Intelligence Act (AIA) create fear. Many refrain from using these tools out of uncertainty, even though they suspect that more is permitted and much more could be achieved with the right legal understanding. This challenge affects many – and that is precisely why a practical solution is needed that appropriately takes into account the interests and capabilities of SMEs and consumers to deal with complex legal matters confidently and without fear.
The issue is particularly evident with the GDPR and the AIA. These regulations were intended to primarily target large tech corporations, other major companies, authorities, and judicial systems. In practice, however, it often impacts smaller players more harshly than anticipated; or smaller players fear severe sanctions, thereby becoming paralyzed.
The current situation is therefore paradoxical: It was never the EU legislator’s intention for SMEs and consumers to refrain from using digital innovations out of fear of legal consequences, even though they are allowed to use them. Of course, the protective purposes of the GDPR and the AIA should also be upheld by SMEs and, where applicable, consumers, by complying with these standards. The proposed regulation does not seek to undermine these objectives.
The proposal below aims to ensure that the GDPR and the AIA are applied fairly and simply by SMEs and consumers, as well as by supervisory authorities or courts with respect to SMEs and consumers. Consumers and SMEs should be able to assess more easily whether they fall under these regulations, whether they face severe sanctions, or whether they can wait to see if a major (software) provider on which they depend will be sanctioned. The goal is that SMEs and consumers do not need to seek costly and complicated legal advice just for this purpose.
————————————————————————————-
EU Proposal: Regulation to Avoid Unnecessary Bureaucracy and Sanctions for SMEs and Consumers (“Cut-the-Crap Regulation”)
Recital: Small and medium-sized enterprises (SMEs) and consumers are disproportionately burdened by the application of the General Data Protection Regulation (GDPR), the Artificial Intelligence Act (AIA), and other Union regulations. They face difficulties in applying and understanding these rules because they are highly complex. This regulation aims to dispel misconceptions among SMEs and consumers regarding the effects and sanctions of Union law. It seeks to achieve a uniform EU-wide application of laws by supervisory authorities through clear regulations. Most importantly, this regulation aims to ensure fair regulation to prevent an overly harsh and frequent approach toward SMEs and consumers compared to large companies. Therefore, it is hereby clarified through explicit provisions that SMEs and consumers should only face immediate regulatory fines, penalties, or obligations in exceptional cases. Instead, they should be empowered to comply with regulations in a supportive manner as responsible SMEs and consumers. This regulation is intended to prevent SMEs and consumers from being disproportionately disadvantaged. Instead, large companies should be held accountable first. This is because the lawful conduct of SMEs and consumers often depends on whether large companies act in accordance with the law as providers of whom SMEs and consumers are costumers (particularly concerning major online platforms, where network effects cause many SMEs and consumers to participate, but it remains unclear how the platform processes personal data or uses AI).
Article 1: Immediate Applicability of Proportionality and Warning Requirement
The requirements of the GDPR and the AIA may only be applied proportionally to SMEs and consumers in the following way: Fines, penalties, obligations, or ancillary provisions may only be imposed after at least two (written or digital) warnings from the competent supervisory authority, clearly stating the conduct in question and the potential sanctions. This two-strikes-and-then-you’re-about-to-get-sanctioned-principle shall apply directly throughout the EU.
Article 2: Protection for the Use of Standard Software and Commercial IT Services
SMEs and consumers using the following offerings (the “offerings”):
- Operating systems
- Standard business software
- IT/cloud-based business software and databases
- Video/audio conferencing systems
- Messaging services
- Generative AI
cannot be penalized or sanctioned by authorities or third parties solely due to their private or professional use of these offerings, unless the respective provider of these offerings has been definitively sanctioned by a competent authority for the underlying offering. Only after such a sanction can supervisory authorities take action against SMEs or consumers. SMEs and consumers may invoke this regulation directly to defend themselves against authorities, courts, and third parties.
Article 3: Reversal of the Burden of Proof and Justification Requirements for SMEs
For SMEs, there is a legal presumption that all their data processing activities are initially justified under the GDPR and the AIA (and the corresponding laws of the Member States). It is up to the supervisory authorities to prove otherwise. This reversal of the burden of proof merely relieves SMEs from the obligation to proactively demonstrate the legality of their data processing to supervisory authorities. However, they are not exempted from complying with the GDPR and other Union or national data protection laws – all documentation requirements still apply. Supervisory authorities shall support SMEs to enable them to conduct all data processing as simply as possible in compliance with the law.
Article 4: Simplifications for Consumers and SMEs under AIA
Consumers, (solo) self-employed individuals, and micro-enterprises are not considered providers or deployers under the AIA. They are exempt from the duties and responsibilities applicable to providers and deployers. However, they should strive to acquire AI competence as intended by the AIA.
Article 5: Anti-Avoidance Clause for Large Enterprises
Large enterprises may not circumvent the scope of the GDPR and the AIA by outsourcing tasks or responsibilities to SMEs or consumers. Neither through consulting contracts nor through stakes may attempts be made to avoid regulatory obligations or penalties that would otherwise apply to the large enterprise. Any outsourcing or delegation of duties solely intended to circumvent regulatory requirements is impermissible and will be treated as a violation of this regulation, resulting in this regulation not applying in favour of the respective large enterprise.
Political Justification
This proposal aims to counteract the partially perceived but also real regulatory uncertainty and excessive complexity that pose a significant challenge, particularly for small and medium-sized enterprises (SMEs) and consumers, when applying the General Data Protection Regulation (GDPR) and the Artificial Intelligence Act (AIA). The legal landscape and regulatory practice of the GDPR (and, expectedly soon, the regulatory practice of AIA) often impact SMEs and consumers more harshly than originally intended by the EU legislator. This is due to unclear or perceived unclear legal situations, making it harder for SMEs and consumers than the European legislator intended. Even erroneous legal views can unfortunately become factual in a complex legal landscape and undermine the intent of the European legislator. The result is unnecessary avoidance strategies and apathy among SMEs and consumers. The EU should act against this. The European legislator’s intention, especially with the GDPR and the AIA, was not to create disproportionate regulatory burdens for SMEs and consumers. Instead, the primary focus should be on large enterprises (“BigTech”) and the risks they pose, while keeping the burden on smaller players as low as possible. However, the legal landscape should not be weakened. Rather, SMEs and consumers – as responsible actors – should be encouraged to comply with the GDPR and the AIA without fearing a potentially unclear legal situation and regulatory practice. The goal is for SMEs and consumers to carry out data processing and use AI systems in compliance with the law, rather than unnecessarily refraining from doing so out of mistaken fear of sanctions and liability. As the AIA represents a new cross-sector software regulation, medium-sized enterprises should not be excluded from its scope, as they often use their own software and have the competence to comply with AIA. However, micro-enterprises, solo self-employed individuals, and consumers could quickly be considered “providers” or “deployers” and thus regulated entities under AIA, which does not make sense if, for instance, they are only using off-the-shelf chatbots as writing aids or deploying a chatbot on their small website. To prevent an overly broad (and inconsistent) interpretation of the term “deployer” in EU-wide supervisory practice (and an overly broad/perceived legal landscape among advisors and micro-enterprises, solo self-employed individuals, and consumers), this should be clarified immediately.
Published under licence CC BY-NC-ND.