UPDATE: On Wednesday, the 13th of March, the EU Parliament approved the Artificial Intelligence Act that ensures safety and compliance with fundamental rights, while boosting innovation. The Members of the European Parliament authorized the AI Regulation with 523 votes in favor, 46 against and 49 abstentions.
This AI Act intends to protect fundamental rights, democracy, and – of course – the individuals, whilst still allowing this tech to push for innovation or improve existing processes. It provides the guidelines to ensure companies can be leaders in their fields while staying compliant and avoiding risk.
You can check our webinar on “Understanding the EU AI Act and Its Implications – How to Stay Privacy Compliant and Take Advantage of AI Tech“ here.
When more information is provided by the EU governing bodies, we will create a new blog post covering what you need to be aware of.
On the 9th of December 2023, the European Parliament and the Council of the European Union (“EU”) reached an agreement on the much-anticipated EU’s Regulation on artificial intelligence (“AI Act”). We now have a glimpse of the final agreement from the Commission, the Council, and the Parliament, yet certain details still need to be adjusted.
How is AI defined in the Regulation?
AI will be defined in the final wording using the OECD definition as a guide, which states that AI is:
“A machine-based system that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments”
The European Council claims that this definition seeks to set artificial intelligence apart from “simpler software systems“, making it clear that the material scope of the Regulation is specific.
Territorial scope of the Regulation
Regardless of where the provider is located, the AI Act will apply to companies that offer AI systems for sale or use in the EU. Additionally, it will cover users of AI systems in the EU as well as providers and users in third countries when the system’s output is utilized within the EU; much like the GDPR territorial scope.
The AI Act should not impact member state authority over national security matters, nor does it apply to areas beyond the purview of EU legislation. Systems utilized only for military or defense objectives are not covered by it. It also doesn’t apply to people who utilize AI for purposes other than their careers or to systems used only for research and innovation.
Additionally, the European Council stated that the AI Act will clarify the obligations of both suppliers and users of AI systems, as well as the connections between the Act’s responsibilities and those of other laws, like sector-specific or data protection laws.
Risks, risks, risks
The AI Act divides risks connected to particular applications of AI into four levels of risk and sets rules based on each level.
Applications with minimal risk will profit from “a free pass and absence of obligations,” the Commission pointed out. Applications with minimal risk include spam filters and video games powered by AI. On the flip side, because of their “significant potential to harm health, safety, fundamental rights, environment, democracy, and the rule of law,” some AI systems will be categorized as high risk. These systems will be subject to a mandated effect assessment on fundamental rights, among other criteria. In between, there will be systems that will pose a limited risk, such as chatbots. Finally, for certain AI applications carrying risks that are considered unacceptable, the EU will not allow the deployment of such systems. These include social scoring, recognition of feelings in the workplace and educational institutions, predictive policing, and cognitive behavioral manipulation. With a few restricted exceptions, remote biometric identification technologies like facial recognition will likewise be prohibited.
There will also be extra responsibilities for general-purpose AI models that satisfy requirements indicating that they represent a “systemic risk”. Model evaluations, systemic risk assessments and mitigation, adversarial testing, reporting to the European Commission on important security incidents, safeguarding cybersecurity, and energy efficiency reporting are among the responsibilities. To comply with the AI Regulation, these models may rely on codes of practice developed in collaboration with the EU AI Office until harmonized EU standards are issued.
Exceptions
When it is required for law enforcement, the AI Act permits the deployment of real-time remote biometric identification systems, often known as live facial recognition, in publicly accessible areas. But only in very specific, extraordinary cases – like identifying the victims of crimes like kidnapping, trafficking, or sexual exploitation, stopping a particular terrorist threat, or identifying a person suspected of committing a particular crime like terrorism, murder, rape, or armed robbery – is this allowed. In these situations, law enforcement officials utilizing real-time remote biometric identification technologies must also adhere to additional precautions.
Enforcement and Penalties
Much like with the GDPR, fines will be considerable. Under the AI Regulation, the maximum fines go up to the amount of 35M€ or 7% of global turnover for breaches relating to banned AI applications; fines of 15M€ or 3% of global turnover for breaches of other obligations displayed in the AI Regulation, and; 1.5% of global turnover for the supply of incorrect information. The Commission has also stated that “more proportionate caps will be imposed on administrative fines for SMEs and start-ups”.
The national authorities that will keep the correct application and surveillance of the law will be each Member State’s market surveillance authorities, who will also be in charge of implementing rules at a national level and individuals will be able to log a complaint before them.
A brand new AI Office
As previously mentioned, a new AI Office will also be created, which will be under the umbrella of the European Commission, and whose most important task will be to ensure coordination at the European level. Moreover, the AI Office will be overseeing general-purpose AI models, helping develop standards and testing procedures, and drawing feedback from a team of impartial scientific experts.
Representatives from the EU member states will also form an AI Board, which will serve as a platform for coordination and advice to the European Commission. It will assist with implementation by helping to create norms of practice for general-purpose AI models, among other things. To offer technical knowledge to the AI Board, an advisory forum comprising representatives from businesses, SMEs, start-ups, civil society, and academia would be established.
When will companies have to comply with the AI Regulation?
The wording of the AI Act must be legally adopted by the Council and the Parliament after its specifics are agreed upon. After that, it will be published in the official journal and go into effect twenty days later. With the exception of the bans, which take effect after six months, and the general purpose AI regulations, which take effect after a year, the majority of the provisions, however, will only be in effect for two years after they enter into force.
If you and your company are eager to already adopt the AI Regulation, you will be glad to hear that the Commission is initiating an AI Pact in the interim to promote the voluntary fulfilment of important duties before the new legislation comes into force.
The European Union is the pioneer globally in attempting to enact legislation regarding artificial intelligence. Being the first of its kind, this legislative proposal has the potential to promote the European approach to tech regulation internationally by serving as a worldwide standard for AI legislation in other jurisdictions, much like the GDPR (general data protection law) has done for data privacy.
