Over the last decade, AI has become embedded in everything from fraud detection, cyber defence, and public service delivery. Unfortunately, the Data Protection Impact Assessments (DPIAs) haven’t kept pace, and we still rely heavily on them to flag vulnerabilities and risks. DPIAs are no longer up to the job when it comes to emerging tech. Why? Because DPIAs were never designed to capture the societal and structural injustices introduced by many of these systems. Traditionally the ‘harms’ detected during a DPIA were found in the data itself, its collection, or in its processing. However, with emerging tech, harms can be found in the inferencing capability, prediction capability, the opacity, future unplanned uses, and the imbalance of power. Yet we’re increasingly relying on DPIAs to govern these types of systems, with huge volumes of personal and sensitive data in sectors such as health, welfare, education, and law enforcement.
DPIAs identify risks arising out of the processing of personal data and outline how to minimise these risks early on in the development process. The risks identified are mainly those relating to the rights and freedoms of the individual – where the key rights typically considered are 1) the right to data protection and 2) the right to privacy, and often 3) freedom of expression and 4) non-discrimination. However, they don’t typically explore the wider array of human rights. For example, the Dutch government used a predictive system (SyRI) to flag people in poor neighbourhoods for welfare fraud based on data profiling. It disproportionately targeted migrants and low-income individuals. The “SyRI” welfare fraud detection system had a comprehensive DPIA conducted for it – however amongst other rights, the system violated the right to non-discrimination under the European Convention on Human Rights, and was consequently struck down in court. Imagine you’re flagged as a fraudster because of your postcode and family structure, without due process and no easy way to contest it? While the DPIA may have been completed – no one asked: ‘Is this fair? or ‘Is this socially just?’.
This is where the Fundamental Rights Impact Assessment (FRIA) comes in. The FRIA forces impact risk assessments to consider a broader set of human rights, beyond those typical of a DPIA such as (but not limited to)
- Freedom of assembly and association
- Right to education
- Respect for family and private life
- Right to asylum
- Right to access justice
- Right to good administration
- Right to effective remedy and fair trial
- Rights of the child
- Right to human dignity
- Right to engage in work
- Presumption of innocence and right of defence
- Rights of the elderly and the disabled
The EU AI Act and the Rise of the FRIA
With the EU AI Act, several organisations deploying high-risk AI systems will be required to perform a Fundamental Rights Impact Assessment (FRIA) – particularly those governed by public law or private entities providing public services. And here’s the kicker: Article 27(4) of the Act explicitly links the FRIA with the DPIA. If the DPIA has already been completed, then the FRIA must complement it—not duplicate it.
Why This Matters for Ireland’s Cybersecurity Community
Ireland hosts the EU headquarters of global tech giants, processes enormous volumes of personal data, and plays a growing role in public sector digitisation. We are not just “users” of AI—we are part of the AI production pipeline. That means we carry ethical, legal, and operational responsibility for how these systems impact people across Europe. If we rely on DPIAs alone to navigate the complex ethical terrain of emerging technologies, we will miss the deeper, structural harms that systems like SyRI have made painfully visible.
The FRIA is not just another tick the box exercise. It is a signal that Europe, and the EU AI Act in particular, is calling time on assessments that fail to capture how power, design, and data intersect in people’s lives. For Ireland’s tech leaders, it represents a call to revise our DPIA processes and move them away from the compliance approach (“is it legal?”) to a more justice approach (“is it fair, dignified, and societally responsible?”).