The European Union has reached a provisional agreement on the Artificial Intelligence Act (AI Act), the first comprehensive legislation in the world to regulate the use of AI.
The AI Act aims to protect society from 'unacceptable' and 'high risk' AI applications, while boosting innovation and making Europe a global leader in AI. It is expected that, if enacted, the guardrails imposed by the AI Act will set a global standard for AI regulation and will have a flow-down impact on organisations developing and adopting AI outside the EU.
Overview of the proposed AI Act
The AI Act will establish rules for AI applications based on the principle that 'the higher the risk, the stricter the rules'. Key features of the AI Act will include the following:
-
Banned applications: Certain types of AI applications that are deemed 'unacceptable' will be banned under the AI Act, with limited law enforcement exceptions. These are:
- biometric categorisation systems that use sensitive characteristics (e.g., political, religious, philosophical beliefs, sexual orientation, race);
- untargeted scraping of facial images from the internet / CCTV footage to create facial recognition databases;
- emotion recognition in the workplace and educational institutions;
- social scoring based on social behaviour or personal characteristics;
- AI systems that manipulate human behaviour to circumvent their free will; and
- AI used to exploit the vulnerabilities of people (due to their age, disability, social or economic situation). -
High risk applications: AI systems that are considered 'high risk' will be those that risk harming people's health, safety or fundamental rights (including, for example, self-driving cars and medical equipment).
Subject to certain exceptions, providers of these types of applications will be required, among other things, to:
- register these 'high risk' systems in an EU-wide database before releasing them to market or providing them as a service;
- comply with a range of requirements including in relation to risk management, data governance, transparency and security; and
- carry out rigorous testing both before being released to market and throughout the products' lifecycles. -
General AI systems: General purpose AI (GPIA) systems and those presenting only 'limited risk' would generally be subject to certain transparency obligations (e.g., disclosing that content is AI-generated so that users can decide whether they want to continue using that system). GPIA systems include those that interact with humans (i.e., chatbots) or which create image, audio or video content (e.g., deepfakes). GPIA systems will also have to adhere to transparency and other requirements including:
- drawing up technical documentation;
- complying with EU copyright law; and
- disseminating detailed summaries about the content used for training these systems. -
Territorial application: Application of and enforcement under the AI Act will depend on whether the AI system has an impact within the EU - even if the system provider or user is located elsewhere. This means that organisations or users of AI systems located in non-EU Member States may be subject to the AI Act. Further, compliance by organisations subject to the AI Act may result in AI Act standards extending beyond the EU where it is not cost efficient to re-train discrete models for different markets.
-
Penalties: Similar to GDPR, fines for violations of the AI Act will either be a predetermined amount or a percentage of the organisation's global annual turnover, whichever is higher. This would generally be €35 million or 7% for violations of the banned AI application rules, €15 million or 3% for certain AI Act obligations and €7.5 million or 1.5% for the supply of incorrect information.
Next steps
The agreed text of the AI Act will now have to be formally adopted by both the European Parliament and Council to become EU law. It is expected that the European Parliament will vote on the AI Act early next year, and that the legislation will take effect in 2025.
We will be monitoring developments and will provide a further update when the European Parliament has voted on the legislation. In the meantime, if you have any questions about how the AI Act proposals may affect your organisation, please do not hesitate to contact us.