1) Suggest the GDPR principle of data minimization be clarified as a top priority
2) Suggest the term "Trustworthy AI" is strictly reserved to AI models that have been trained on strict anonymous data and use in setups that do not produce new personal data.
The AI regulation process is critically under-focusing on the data problem.
BigData surveillance and citizen profiling represent both a primary threat to markets and democracy. This core problem is not handled by simply listing a few exceptionally risky projects.
The problem is orders of magnitude worse as BigData AI represent an approach to digital design that depend systemic surveillance in order to feed combination of personal data from multiple sources or transactions over time.
Critical here is that the GDPR main principle of data minimization is not even considered. It follows that - no matter legitimate interest and/or consent - if training of AI models can happen without collecting personal data, then collecting and/or combining personal data from multiple source are illegal.
Point is that this is indeed possible - SmallData AI represent strictly anonymous solutions where the citizens her/him-self collect and combine data in order to feed anonymous data to the particular AI training project. Thereby ensuring that the AI model do not depend on "infected data" / feed on undermining data security as a precondition.
SmallData AI represent both a generic solution to the problem and challenges in itself due to the necesary distributed nature of SmallData AI solutions.
What is essential here is that the GDPR principle of Data minimization according to state-of-the-art (e.g. article 5.1.C, 25 and 32) represent an general normative requirement to use anonymous data only limited by state-of-the-art.
Today trustworthy anonymity is indeed possible so it must be considered only a matter of time until BigData AI will be incompatible with GDPR.
The above understanding should be made clear as a top priority. Without this the selective banning of a few "risky AI projects" risk operating as a generic circumvention of GDPR