Although new technological contexts such as the use of artificial intelligence may require new, technology-specific legislative provisions, the General Data Protection Regulation (GDPR) is still the tool of choice to regulate personal data processing. This is also due to the fact that the GDPR is broadly applicable, as confirmed by case law of the Court of Justice of the EU (CJEU). Indeed, it has become easier to classify data as personal, as the terms “related to” and “identified or identifiable” as elements of the definition of personal data are interpreted broadly. Therefore, one may wonder whether the “general” in the GDPR could not be understood more broadly in terms of scope. For example, a general European data law could address various undesirable side effects of digitisation more comprehensively, becoming the ideal partner for any AI law. A broader risk-based harm approach, justified by the increasing importance of the interconnectedness of data and the intentions of data use, represents an interesting starting point in transforming the GDPR into a general European data law. For these reasons, our panel will focus on the following two topics. First, the increasing challenges in providing legal interoperability, specifically with regard to regulating AI, are highlighted. Second, the panel will explore the possibility of transforming the GDPR into a general European data law via a risk-based harm approach. Indeed, this could provide a new way to address legal interoperability issues and thereby also address the broader unwanted side effects of digitalisation, again particularly in relation to AI.
