The EU’s ‘Artificial Intelligence Act’ – New European Regulation of AI

Artificial intelligence (AI) is an extremely powerful tool, which is increasingly prominent in our technologically advancing world, as shown by the rise of ChatGPT (see our article).

AI and machine learning-enabled technologies are being used in everyday life and across sectors from transportation, robotics, science, medicine, education, the military, surveillance, and more. However, rapid developments in AI have led to increasing calls for regulation, particularly in Europe. There has been a lot of concern over AI technology advancing too quickly without any rules, and potentially going too far and therefore resulting in serious risks and consequences.

The European Parliament approved the ‘EU Artificial Intelligence Act’ (EU AI Act) to regulate AI on 13 March 2024. This is a ground-breaking and landmark regulation, as the new law is said to be the first-ever comprehensive set of AI laws globally and could impact numerous AI actors globally. This article explores the forthcoming EU AI Act and its potential implications for businesses.

What is the principle of the EU AI Act?

The key aim of this law is to regulate AI and it is deemed to be the first far-reaching set of laws targeting AI globally. The key underlying principle is that the riskier the AI, the more stringent the level of regulation required.

The purpose of this ground-breaking law is to turn Europe into the ‘global hub for trustworthy AI’, to balance the safety of AI use for individuals, and this could be seen as a global standard for countries struggling to control the fast advancement of AI.  

The EU AI Act will set out rules around the development and use of AI. A primary concern is to ensure that the use of AI is safe and transparent, and the law aims to, amongst other things, strengthen rules regarding data quality, transparency, human oversight, and accountability when using AI.

The drive behind the law is that individuals should have trust and clarity around the use of AI. However, in practice, the law is likely to take effect gradually over several years and we do not expect such changes to be seen overnight.

It is vital to note that this law will have extra-territorial reach, meaning organisations based outside of the EU will need to comply with it in certain circumstances. This is similar to the General Data Protection Regulation (GDPR) law rules, which have impacted companies globally.

What will the EU AI Act do in practice?

The sweeping new laws adopt a risk-based approach and ban certain types of AI usage, whilst setting strict rules when using others. AI will be regulated according to the perceived risk levels, with different risk levels requiring differing obligations.

Once in force, the EU AI Act will impact several businesses – such as AI developers, providers, distributors, manufacturers, and importers who need to comply with its legal rules, and consumers whom the new law aims to protect when interacting with AI systems.

The EU AI Act is complex and comprehensive, but at this early stage we would highlight some of the key points for businesses to note:

• The EU AI Act is risk-based, with different types of risks categorised. The law imposes a classification system determining the level of risk that AI technology could impose, categorising tiers of risk as unacceptable, high, limited, and minimal risk. Whilst unacceptable risk systems are banned outright, high-risk AI systems will be subject to extremely stringent rules. For instance, the law will prohibit certain uses of AI systems altogether e.g., social scoring systems.

• The law will apply to companies outside of the EU that provide AI systems to EU customers, who would also need to ensure that their systems comply with the new legal rules. 
• It is further likely the law will have a global impact since so many global businesses are involved in commerce with the EU and a number of those deploy AI systems.

It is vital that businesses get this right and are compliant, failing which they could face severe penalties. Fines for breaching the EU AI Act are extremely high – breaching a prohibited practice under the law will be punishable with fines of up to €35 million, or 7% of a company’s annual worldwide revenue, whichever is higher. This is even higher than the already huge fines for breaching the GDPR- see our article.  

The newly established European AI Office will be tasked with monitoring, supervising, and enforcing the requirements of the new law. EU member states will need to put in place regulatory authorities to ensure compliance with the standards of the new law.

What Next?

The EU AI Act will enter into force gradually once it has been formally endorsed by the EU Council.

Practically, organisations will now need to move to conduct an analysis to determine what they will need to do to comply with the new law when in force.

We expect further details and guidance to emerge over the coming months.

Whilst we await the EU AI Act’s coming into force, initial steps for businesses to consider include:

• Understanding what types of AI your organisation uses and why – for instance, which types of AI you develop and deploy across your business operations.
• Considering whether the EU AI Act will apply to your business.
  If so, you will need to determine your role, as the new law imposes different obligations depending on the AI-related activities of an organisation. As mentioned above, non-European businesses should take note. The law will catch businesses who are located outside of the EU, who fall within its scope e.g., businesses who place AI systems in the EU market.
• Considering which provisions of the EU AI Act apply to your business and taking legal advice where necessary. This will require careful consideration of the level of risk associated with your AI systems and resulting obligations.
• Working towards compliance with the stringent new requirements of the EU AI Act, dependent on your AI-related business activities.

• This could include a range of new obligations such as onerous risk assessments, transparency requirements, audit obligations and security measures.
  
  Such compliance measures could have a significant impact, such as the need to restructure AI systems and build and implement brand-new procedures to promote transparency.
  
  This could be particularly difficult for businesses that use AI in various ways, who could play various roles under the act’s categorisations and therefore have a range of varying obligations.
• Ensuring that where you are using AI and those models process personal data, you are always acting in compliance with the GDPR rules. You should continue to always work towards GDPR compliance.

This will be sweeping and far-reaching legislation, so affected businesses should take active steps to review the law, and its requirements and prepare in advance for its implementation. If in doubt about your legal obligations, legal advice is vital.

What does the future look like for the UK?

The emergence of the EU AI Act is also significant for UK businesses, as the new EU law could provide a framework to inspire UK laws around the regulation of AI. 

Becky White, Senior Data Protection & Privacy Solicitor comments:

The EU AI Act will affect UK businesses with operations in the EU. While it doesn't directly apply to the UK, it does indicate a direction that could influence UK domestic legislation. It is expected that any UK-specific legislation will be intentionally aligned with the EU. Whilst UK AI legislation is currently in the white paper stage, and it's unlikely that we'll see any tangible outcomes from this Parliament, perhaps the next government will prioritise this issue.

Conclusion

The EU AI Act is ground-breaking and will present significant challenges for many businesses, especially those heavily involved in developing or using AI tools.

Nonetheless, proactive steps and early groundwork towards compliance now are advisable given the far-reaching scope of the legislation and the implications of non-compliance.  

This is a complicated and fast-moving topic, and this law will have several implications around the use of AI with further developments to follow.

If you would like legal advice on the EU AI Act and how it could impact your business, please contact our team who are happy to support you with navigating these new rules.