On 21 April 2021, the European Commission proposed a new, transformative legal framework to govern the use of artificial intelligence (AI) in the European Union. The proposal adopts a risk-based approach whereby the uses of artificial intelligence are categorised and restricted according to whether they pose an unacceptable, high, or low risk to human safety and fundamental rights. The policy is widely considered to be one of the first of its kind in the world which would, if passed, have profound and far-reaching consequences for organisations that develop or use technologies incorporating artificial intelligence.


The European Commission's proposal has been in the making since 2017, when EU legislators enacted a resolution and a report with recommendations to the Commission on Civil Law Rules on Robotics. In 2020, the European Commission published a white paper on artificial intelligence. Last October, the European Parliament issued a resolution with recommendations to the Commission on a civil liability regime for artificial intelligence.

The proposal issued last month draws from all of these documents in seeking to "address the risks and problems linked to AI, without unduly constraining or hindering technological development." These twin objectives of the regulation, which are namely, the maintenance of both trust and excellence in AI technology, were echoed in a statement by Margrethe Vestager, the European Commission's executive vice president for the digital age, upon publication of the proposal on 21 April, in which she said "With these landmark rules, the EU is spearheading the development of new global norms to make sure AI can be trusted. By setting the standards, we can pave the way for ethical technology worldwide and ensure that the EU remains competitive along the way."

Application & Framework

The proposed rules would apply to all providers of artificial intelligence systems who place on the market (or put into service) artificial intelligence systems in the EU, irrespective of whether they are established within the EU, as well as to users of artificial intelligence systems established within the EU. The rules would also apply to providers and users of artificial intelligence systems where the output produced by the system is used in the EU.

In adopting a risk-based approach to artificial intelligence, the proposal distinguishes among unacceptable, high, and low risks posed to the fundamental rights and safety of AI users.

Unacceptable risks, for example, include uses of AI that manipulate vulnerabilities of specific groups of people or attempt to evaluate individuals over time so as to give them a "social score." The use of "real-time" remote biometric identification systems in publicly accessible spaces is also deemed to pose an unacceptable risk to human safety and fundamental rights, although certain limited exceptions apply.

High-risk AI systems, on the other hand, could include functions related to critical infrastructure, educational training, and employee selection. Uses of artificial intelligence in this category will be subject to strict requirements that must be met and will need a completed conformity assessment before the technology may enter the European market. For example, providers must establish, maintain and document rigorous risk management systems, ensure an appropriate type and degree of transparency to users, and make provisions for effective oversight and control of the AI technology by natural persons.

For low-risk AI systems that interact with humans, detect emotions or determine association with social categories based on biometric data, or generate or manipulate content (such as those used to create "deep fakes"), transparency obligations will have to be complied with. Users must be notified of the circumstances surrounding their interaction with the AI system so as to allow those users to make an informed choice in continuing to use the technology.

Governance & Enforcement

With respect to governance, the proposal would establish a European Artificial Intelligence Board composed of representatives from the EU Member States and the Commission in order to facilitate implementation of the regulation. At the national level, EU Member States will be responsible for designating competent authorities to take all measures necessary to ensure that the rules are property and effectively implemented.

Non-compliance with prohibitions or requirements laid out in the regulation would be severe, with penalties of up to €30,000,000 or 6% of total worldwide annual turnover (whichever is higher).

Global Context & Next Steps

Over the last decade, the EU has played a leading role in shaping and transforming regulation on the use of emerging technologies and data worldwide, most notably with the General Data Protection Regulation and most recently with its proposals on the Digital Services Act and Digital Markets Act. If enacted, this regulation could act as a similar blueprint for future artificial intelligence regulations adopted by other countries around the world. Still, it could be several years before the proposed regulation becomes law in the EU. Most immediately, the European Parliament and EU Member States will have to adopt the proposal for it to come into force. Once adopted, the AI regulation will be directly applicable across the EU.

Alongside the new legal framework on AI, the European Commission has also proposed new rules on machinery products to ensure that the new generation of machinery guarantees the safety of users and consumers, as well as the safe integration of the AI systems into machinery.

While the EU is one of the first to move the regulation of artificial intelligence forward, it joins a host of other regions that have demonstrated a similar interest in regulating current and emerging technologies more closely. The UK Government recently announced its intention to introduce new legislation to regulate the security of consumer smart devices and President Biden of the United States has also recently signalled plans to rein in Big Tech by selecting prominent antitrust scholars for positions in the Federal Trade Commission and the National Economic Council. Proposals to further regulate the uses of technology and data are likely to emerge around the world in the coming years.

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe - Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2020. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.