The role of the risk-based approach in the General data protection Regulation and in the European Commission’s proposed Artificial Intelligence Act: Business as usual?

In April 2021 the European Commission unveiled a proposal for a Regulation on Artificial Intelligence (AI), the so-called AI Act (AIA). The regulatory architecture of the proposed AIA is explicitly predicated upon a riskbased approach. This begs the question as to whether the risk-based approach in the proposed AIA is the same as the one featured in the EU’s General Data Protection Regulation (GDPR), or whether there are differences. And in this case, which ones and how can they be framed? This contribution contrasts the two risk-based approaches by framing them as two different iterations of riskbased models of regulation. One concerned with better compliance (GDPR), and one concerned with the determination of which AI systems should be regulated (AIA). Framing things in terms of regulation models allows to shift the focus upon key components of risk-based models of regulation. Namely, the concept of risk at stake, and the type of obligations for regulatees. In both cases, there seem to be some sharp contrasts at first sight. Upon better look however, these are not as acute as it first seemed. The contribution ends by reflecting upon the proposed AIA’s limited scope (i.e., limited to high risk AI systems). Can the recourse to regulatory theory help shed some light on this issue and be instrumental in devising more encompassing and protective alternatives?