The EU Governance of Digital Technologies under the GDPR and the AI Act: A Rights-Based Perspective

The EU aims to assume a leading role in the governance of digital technologies. In this context, the GDPR and the AI Act come to the fore as key cases. In the scope of the thesis, these regulations are analyzed within the framework of Responsible Research and Innovation, a “new governance” model that aims at leading to results of innovation that can be deemed as responsible and ethically sound. In line with inclusiveness and ethical acceptability characteristics of RRI, the study explores the aspects related to participation and the incorporation of fundamental rights in the drafting process of the GDPR and AI Act. This thesis employs a qualitative research design combining comparative document analysis with semi-structured interviews. The analysis demonstrates that both regulations included mechanisms to ensure participation, primarily through public consultation and advocacy, that influenced the outcome of the regulations. While the final version of the GDPR can be interpreted as closer to the position of civil society and citizens who advocate for fundamental rights, the AI Act reflects more the demands of industry and business actors. From a rights-based perspective, it can be argued that whereas the Parliament adopted an approach that defends fundamental rights, these considerations were comparatively less prioritized in the Council. Notably, the adoption of the privacy by design principle and a clear reference given to a particular fundamental right, the right to data protection, makes GDPR a comprehensive rights-based legislation. Controversially, considering the risk-based structure and the vague reference to the fundamental rights, the AI Act cannot be classified as rights-based, as the discourse of rights remains largely rhetorical.