The EU AI Act and the Right to Privacy: Challenges of Harmonising Public-Sector AI Implementation in Candidate Countries, with a Case Study of North Macedonia
DOI:
https://doi.org/10.5281/zenodo.18644904Keywords:
EU AI Act, privacy, GDPR, Convention 108+, candidate countries, public-sector AI, North Macedonia, DPIA, fundamental rights, procurement governanceAbstract
The EU Artificial Intelligence Act (AI Act) establishes a risk-based framework for AI management, imposing strict requirements on high-risk systems commonly used by public authorities. Candidate countries seeking alignment with EU law face two main challenges: implementing controls equivalent to those in the AI Act and maintaining data-protection rules consistent with the GDPR and the Council of Europe’s Convention 108+. This paper proposes a compliance framework for public-sector AI, using North Macedonia as a case study due to its GDPR-based Law on Personal Data Protection. The study applies a standards-based approach to connect typical public-sector AI applications with the requirements of the AI Act and the safeguards in the GDPR and Convention 108+ and recommends a practical workflow that integrates fundamental-rights impact assessments (FRIAs) and data-protection impact assessments (DPIAs). The results indicate that effective harmonisation depends on defined roles for AI oversight and data protection authorities, procurement rules that support auditability, logging, and change control, and ongoing monitoring with enforceable redress mechanisms. Scenario analysis demonstrates that this integrated approach can reduce correction cycles and facilitate challenges to decisions over a 36-month period.
References
Citron, D. K., & Pasquale, F. (2014). The scored society: Due process for automated predictions. Washington Law Review, 89, 1–34.
European Data Protection Board. (2024). Statement 3/2024 on data protection authorities’ role in the Artificial Intelligence Act framework (Adopted 16 July 2024).
European Union. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation). Official Journal of the European Union, L 119, 1–88.
European Union. (2024). Regulation (EU) 2024/1689 of the European Parliament and of the Council (Artificial Intelligence Act). Official Journal of the European Union, 2024/1689. EUR-Lex
Council of Europe. (2018). Modernisation of Convention 108: Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 223). Portal
Council of Europe. (2020). Law on Personal Data Protection (Republic of North Macedonia) (“Official Gazette” No. 42/20 and 294/21). Council of Europe
Refworld. (2020). North Macedonia: Consolidated Law on Personal Data Protection (Official Gazette No. 42/20 and 294/21). Refworld
National Institute of Standards and Technology. (2023). Artificial Intelligence Risk Management Framework (AI RMF 1.0) (NIST AI 100-1). https://doi.org/10.6028/NIST.AI.100-1 NIST Publications
Floridi, L. (2019). Establishing the rules for building trustworthy AI. Nature Machine Intelligence, 1(6), 261–262.
Kroll, J. A. (2021). Outlawing discrimination in AI. Science, 374(6566), 104–105.
Selbst, A. D., Boyd, D., Friedler, S. A., Venkatasubramanian, S., & Vertesi, J. (2019). Fairness and abstraction in sociotechnical systems. In Proceedings of the ACM Conference on Fairness, Accountability, and Transparency (FAT*) (pp. 59–68). ACM.
Wachter, S., Mittelstadt, B., & Russell, C. (2021). Why fairness cannot be automated. AI and Ethics, 1, 117–134.
Veale, M., & Zuiderveen Borgesius, F. (2021). Demystifying the draft EU Artificial Intelligence Act—Analysing the good, the bad, and the unclear elements of the proposed approach. Computer Law Review International, 22(4), 97–112. https://doi.org/10.9785/cri-2021-220402 De Gruyter Brill
OECD. (2019). OECD principles on artificial intelligence. OECD Publishing.
Mantelero, A. (2024). The Fundamental Rights Impact Assessment (FRIA) in the AI Act: Roots, legal obligations and key elements for a model template. arXiv. arXiv
Reuters. (2025, April 11). Irish regulator investigates X over use of EU personal data to train Grok AI. Reuters
The Guardian. (2025, November 19). European Commission accused of “massive rollback” of digital protections. The Guardian
Daci, E., & Rexhepi, B. R. (2024). The role of management in microfinance institutions in Kosovo: A case study of the Dukagjini Region. Quality—Access to Success, 25(202).
Rexhepi, B. R., Murtezaj, I. M., Xhaferi, B. S., Raimi, N., Xhafa, H., & Xhaferi, S. (2024). Investment decisions related to the allocation of capital. Educational Administration: Theory and Practice, 30(6), 513–527. https://doi.org/10.53555/kuey.v30i6.5233
Murtezaj, I. M., Rexhepi, B. R., Xhaferi, B. S., Xhafa, H., & Xhaferi, S. (2024). The study and application of moral principles and values in the fields of accounting and auditing. Pakistan Journal of Life and Social Sciences, 22(2), 3885–3902. https://doi.org/10.57239/PJLSS-2024-22.2.00286
Murtezaj, I. M., Rexhepi, B. R., Dauti, B., & Xhafa, H. (2024). Mitigating economic losses and prospects for the development of the energy sector in the Republic of Kosovo. Economics of Development, 23(3), 82–92.
Rexhepi, B. R., Mustafa, L., Berisha, B. I., Vranovci, S. H., & Sadiku, M. K. (2024). Creating a factoring service specifically designed for small and medium enterprises at ProCredit Bank in Kosovo. International Journal of Religion. https://doi.org/10.61707/tc834x95
OECD. (2021). OECD framework for the classification of AI systems (policy background and risk governance materials). OECD Publishing.
Council of Europe. (2018). Explanatory report to the Protocol amending Convention 108 (CETS No. 223). Council of Europe Publishing.
European Commission. (2024). EU AI Act: official publication and legal text access via EUR-Lex. European Commission.
Mayer Brown. (2024). EU AI Act published: Which provisions apply when? (Practitioner implementation timeline note).
White & Case. (2024). Long awaited EU AI Act becomes law after publication in the EU’s Official Journal (implementation timing overview). White & Case LLP
Council of Europe Data Protection Unit. (2020). Convention 108+: Status and ratification updates. Council of Europe. Portal
World Bank. (2021). GovTech and digital public infrastructure: Implications for accountable public-sector automation. World Bank Group.
OECD. (2023). Public sector algorithmic transparency and governance: Institutional models and auditability (policy report). OECD Publishing.
Downloads
Published
How to Cite
Issue
Section
Categories
License
Copyright (c) 2026 Burhan Rexhepi
This work is licensed under a Creative Commons Attribution 4.0 International License.
All articles published in Ege Scholar Journal (ESJ) are open access and licensed under the Creative Commons Attribution 4.0 International License (CC BY 4.0). This licence permits use, sharing, adaptation, distribution, and reproduction in any medium or format, provided that appropriate credit is given to the author(s) and the source, a link to the licence is provided, and any changes made are indicated.
The author(s) retain copyright for their work. As long as they meet the conditions of CC BY 4.0, users are free to download, read, copy, print, and redistribute the content without prior permission.
Third-party material included in an article (e.g., figures, tables, images) is covered by the same licence unless otherwise stated in the credit line. If material is not included under the article’s licence and your intended use is not permitted by statutory regulation, permission must be obtained from the copyright holder.
License: https://creativecommons.org/licenses/by/4.0/
