Field Trips: 5 takeaways on shaping the EU AI Act with Dan Nechita

As the industry’s first Field Chief Privacy Officer, I’m on a mission to connect with privacy leaders, technologists, and policymakers to untangle the complexities of privacy and AI governance across various sectors.

Launching Transcend Field Trips: A CPO Listening Tour was a key part of this mission. My goal with the listening tour was simple: engage in meaningful conversations with privacy leaders, technologists, and regulators and share what I learn to illuminate the unique challenges of this space, and bridge the gap between privacy professionals and policymakers.

For the Field Trips series premiere, I could think of no better guest than Dan Nechita—Head of Cabinet to MEP Dragos Tudorache and a pivotal figure in the EU's legislative landscape. Sitting down together in Brussels, the epicenter of EU law-making, Dan and I explored how this landmark piece of legislation was crafted, the challenges of the negotiations that shaped the act’s requirements, and what privacy professionals should pay attention to as this law goes into force.

You’ll find my five key insights from our discussion below. I’d encourage you to watch the full conversation too, which I’ll include at the bottom of this post.

1. The EU AI Act was a uniquely collaborative legislative effort

Dan shared that the AI Act was a monumental effort involving around 40 MEPs. This collaboration, while atypical, was crucial for handling such a groundbreaking piece of legislation.

“For this file, we had two committees, two co-rapporteurs, and another 12 shadow rapporteurs, and a few other committees involved in different pieces of the legislation. So basically, it was about 40 MEPs working on the file,” Dan explained.

2. Defining a global standard for AI regulation started with defining AI

Corralling that many POVs wasn’t just about balancing different perspectives—it also forced big conversations about fundamental definitions and concepts. According to Dan, one of the most formidable tasks the committees faced was defining artificial intelligence.

Ultimately, the consensus was to align with global standards, particularly those set by the OECD, in order to ensure the AI Act resonated on an international level.

“The definition of artificial intelligence, what is artificial intelligence? That was very, very hard. Luckily, what we decided politically is we wanted to align as much as possible internationally. So we worked with the OECD in parallel to kind of converge on the definitions, and that kind of got us out of what seemed to be a deadlock.”

3. Establishing the AI Office

Including the AI Office in the act was a significant achievement pushed by the European Parliament, marking a pivotal moment in the legislative process.

The office is tasked (https://digital-strategy.ec.europa.eu/en/policies/ai-office) with becoming “the centre of AI expertise across the EU,” and according to the European Commission will be key to not only ensuring the act is implemented and enforced, but in promoting more generally the development of “trustworthy AI.”

Dan proudly recalled, “The whole discussion on generative AI and the establishment of the AI Office, [that] wasn’t a given. That’s what parliament added to the text…[It] was an uphill battle. I’m very proud to say that it came from our office—from Dragos and myself, really wanting a body that actually does EU-wide supervision of AI.”

4. Building on the GDPR foundation

For Dan and the wider group involved in the negotiations, it was crucial that the AI Act was not created in isolation, but rather built upon frameworks established by GDPR. This approach ensured the new act complemented existing legislation and requirements, particularly between Data Protection Impact Assessments (DPIAs) and Fundamental Rights Impact Assessments (FRIAs).

“We tried to take the GDPR as a golden standard, and we started from there.”

That was reassuring to hear as a CPO, as we all grapple with a (seemingly constant) barrage of new regs!

5. The role of the CPO and privacy professionals

As privacy pros, we're uniquely positioned to handle AI Act compliance, but it requires us to elevate our skills. We’re already the hub of data protection in our companies, and are best placed to bring together folks across both non-technical and technical disciplines, but it will require a technical uplevel to understand some of the novel challenges that AI poses.

“I would caution that it’s not a shoe in,” Dan noted. “There’s a lot of learning and a lot of building AI expertise because the AI Act [has] more requirements than what we had for data protection. But it’s a natural starting point.”

Watch the full conversation with Dan below. And follow me on LinkedIn for Episode 2 launching on July 23—another great conversation on the EU AI Act.