Source: OJ L, 2024/1689, 12.7.2024

Current language: EN

Article 78 Confidentiality

Summary What does Article 78 of the AI act regulation say?

This article establishes the confidentiality obligations that apply to all parties involved in the application of the regulation — including the Commission, market surveillance authorities, notified bodies, and any other natural or legal person carrying out tasks under it.

It sets out a broad duty to protect information obtained in the course of those tasks, covering trade secrets, source code, security interests, ongoing proceedings, and classified information.

The article is referenced extensively throughout the regulation wherever sensitive information is accessed or exchanged, making it a foundational cross-cutting provision.

It also includes specific rules for particularly sensitive contexts, namely where high-risk AI systems are used or provided by law enforcement, border control, immigration, or asylum authorities, placing additional restrictions on disclosure and physical custody of technical documentation.

Important points:

  • All authorities and persons involved in applying the regulation are required to respect confidentiality of information obtained in carrying out their tasks, protecting trade secrets, security interests, and classified data.
  • Authorities may only request data strictly necessary for their risk assessment tasks and must put in place cybersecurity measures to protect it, deleting it once it is no longer needed.
  • Where law enforcement, border control, immigration, or asylum authorities are involved, confidential information exchanged between national competent authorities and the Commission cannot be disclosed without prior consultation of the originating authority and the deployer, and sensitive operational data is excluded from such exchanges entirely.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. The Commission, market surveillance authorities and notified bodies and any other natural or legal person involved in the application of this Regulation shall, in accordance with Union or national law, respect the confidentiality of information and data obtained in carrying out their tasks and activities in such a manner as to protect, in particular:

      1. the intellectual property rights and confidential business information or trade secrets of a natural or legal person, including source code, except in the cases referred to in Article 5 of Directive (EU) 2016/943 of the European Parliament and of the Council(57);

      2. the effective implementation of this Regulation, in particular for the purposes of inspections, investigations or audits;

      3. public and national security interests;

      4. the conduct of criminal or administrative proceedings;

      5. information classified pursuant to Union or national law.

    1. The authorities involved in the application of this Regulation pursuant to paragraph 1 shall request only data that is strictly necessary for the assessment of the risk posed by AI systems and for the exercise of their powers in accordance with this Regulation and with Regulation (EU) 2019/1020. They shall put in place adequate and effective cybersecurity measures to protect the security and confidentiality of the information and data obtained, and shall delete the data collected as soon as it is no longer needed for the purpose for which it was obtained, in accordance with applicable Union or national law.

    1. Without prejudice to paragraphs 1 and 2, information exchanged on a confidential basis between the national competent authorities or between national competent authorities and the Commission shall not be disclosed without prior consultation of the originating national competent authority and the deployer when high-risk AI systems referred to in point 1, 6 or 7 of Annex III are used by law enforcement, border control, immigration or asylum authorities and when such disclosure would jeopardise public and national security interests. This exchange of information shall not cover sensitive operational data in relation to the activities of law enforcement, border control, immigration or asylum authorities.

    2. When the law enforcement, immigration or asylum authorities are providers of high-risk AI systems referred to in point 1, 6 or 7 of Annex III, the technical documentation referred to in Annex IV shall remain within the premises of those authorities. Those authorities shall ensure that the market surveillance authorities referred to in Article 74(8) and (9), as applicable, can, upon request, immediately access the documentation or obtain a copy thereof. Only staff of the market surveillance authority holding the appropriate level of security clearance shall be allowed to access that documentation or any copy thereof.

    1. Paragraphs 1, 2 and 3 shall not affect the rights or obligations of the Commission, Member States and their relevant authorities, as well as those of notified bodies, with regard to the exchange of information and the dissemination of warnings, including in the context of cross-border cooperation, nor shall they affect the obligations of the parties concerned to provide information under criminal law of the Member States.

    1. The Commission and Member States may exchange, where necessary and in accordance with relevant provisions of international and trade agreements, confidential information with regulatory authorities of third countries with which they have concluded bilateral or multilateral confidentiality arrangements guaranteeing an adequate level of confidentiality.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod