Dr Marco Fagnano, Legal Counsel at the Office of the Information and Data Protection Commissioner (IDPC), participated in a high-level panel discussion titled "Decoding AI and Data Regulations for Businesses", held at the Malta Digital Innovation Authority (MDIA) on the 5 September 2025.
The panel brought together experts from regulatory bodies, and representatives of the Malta Chamber of SMEs, the Chamber of Commerce and Servizzi Ewropej f'Malta, to explore the evolving regulatory landscape surrounding artificial intelligence, data privacy, and compliance challenges for businesses in Malta.
Dr Fagnano offered insights into the intersection of the EU AI Act and the GDPR, emphasizing the importance of factoring in data protection conformity by design and default for AI-driven systems, on account of the high dependability on personal data processing in AI. Dr Fagnano also highlighted the importance of factoring in Article 22 of the GDPR which regulates profiling and automated decision-making, where AI systems are concerned which at some point process personal data.
Addressing the intersection between Data Protection Impact Assessments ('DPIA') and Fundamental Rights Impact Assessments ('FRIA'), Dr Fagnano highlighted that many of the principles and methodologies developed under framework of DPIAs could serve as a useful foundation for conducting broader assessments of fundamental rights' impacts. Dr Fagnano remarked that, in cases of AI which process personal data and which require to conduct a DPIA in terms of the GDPR, a FRIA is required under the AI Act which complements the DPIA.
The panel also discussed the growing need for entities, large and small, to adopt proactive data governance approaches akin to data protection compliance and highlighted the IDPC's commitment to supporting organisations through regulatory guidance and collaborative dialogue with other authorities. In this respect, mention was made of the Fundamental Rights Impact Assessment workshop being organised by the IDPC on the 23 October at Trident park, which will be carried out help equip entities to comply with data protection and FRIA obligations.