AI Regulation in the EU
On March 13, 2024, the European Parliament adopted the Artificial Intelligence Act (AI Act), hailed as the world’s inaugural comprehensive horizontal legal framework for AI. This groundbreaking legislation establishes EU-wide rules governing data quality, transparency, human oversight, and accountability. With stringent requirements and imposing fines of up to 35 million euros or 7% of global annual revenue (whichever is higher), the AI Act is poised to significantly influence the operations of numerous companies conducting business within the European Union.
Background: From Proposal to Political Agreement
The journey towards the AI Act commenced when the European Commission introduced its proposal for AI regulation in April 2021. Subsequent negotiations with the European Parliament and the Council of the European Union culminated in a political agreement reached in December 2023. With the European Parliament’s vote, the legislative process is nearing completion. The AI Act is slated to enter into force 20 days after publication in the Official Journal, expected in May or June 2024. Most provisions will become applicable two years after its entry into force, with exceptions for certain provisions.
Learn more about Future Jobs: DELTA Data Protection & Compliance Academy & Consulting
Defining Key Concepts
Central to the AI Act is the definition of AI itself. Initially criticized for its broad scope, the final definition draws inspiration from the OECD’s widely accepted definition. Key characteristics of AI systems, including varying levels of autonomy and the ability to infer from input to generate outputs influencing physical or virtual environments, underpin the definition outlined in Article 3(1) of the AI Act. Recital 12 further elaborates on the legislative intent behind this definition, emphasizing the distinction between AI systems and traditional software systems.
Who Falls Under the AI Act’s Purview?
The AI Act casts a wide net, applying to providers, importers, distributors, and deployers of AI systems within the European Union. Notably, it extends extraterritorial reach, encompassing providers and deployers outside the EU whose systems impact the EU market or its residents. However, exemptions exist for AI systems developed solely for scientific research, as well as those released under free and open-source licenses.
EU’s Risk-Based Approach: Regulatory Categories
The AI Act adopts a risk-based approach, categorizing AI systems into various risk levels:
1. Unacceptable Risk: Prohibited AI practices, including those manipulating human behavior or exploiting vulnerabilities, are expressly banned.
2. High Risk: Stringent requirements apply to high-risk AI systems, necessitating compliance with robust risk-mitigation measures.
3. Limited Risk: AI systems interacting directly with individuals must ensure transparency, while minimal-risk AI systems face minimal restrictions.
4. General-Purpose AI Models: A new addition to the Act, these models are subject to distinct regulations, especially those with systemic risk or high-impact capabilities.
Harmonization with GDPR: Ensuring Data Protection
The AI Act’s provisions dovetail with existing EU data protection regulations, ensuring alignment with the General Data Protection Regulation (GDPR) and the ePrivacy Directive. This harmonization underscores the EU’s commitment to safeguarding personal data and privacy in the AI era.
Charting the Course for AI Regulation in the EU
The adoption of the AI Act by the European Parliament marks a significant milestone in the regulation of AI technologies. As companies and stakeholders navigate the intricacies of compliance, they must heed the AI Act’s provisions and timelines. With the EU at the forefront of AI regulation, the AI Act sets a precedent for global AI governance, balancing innovation with accountability and user protection in the digital age.
DELTA Data Protection & Compliance, Inc. Academy & Consulting – The DELTA NEWS – Visit: delta-compliance.com Visit: delta-datenschutz.de
Author: Shernaz Jaehnel, Compliance and Privacy Advisor, CDPO/CIPP/CIPM
