On December 9, 2023, the European Commission (Commission) announced that a political agreement was reached between the European Parliament and the Council on the Artificial Intelligence (AI) Act (AI Act), as proposed by the Commission in April 2021. It is considered the first text of its kind in the world.
BACKGROUND
For years, the Commission has taken the lead to facilitate and enhance cooperation on AI across the European Union (EU) to boost its competitiveness and ensure trust within the EU market. It started in 2018 with the publication of the European Strategy on AI, followed by the above-mentioned political agreement in late 2023.
The AI Act mainly aims at addressing the risks generated by specific uses of AI through what the Commission hopes is a set of complementary, proportionate, and flexible rules to set a harmonized standard within the EU—the goal being promotion of innovation in Europe, while limiting the potential pitfalls of AI.
MAIN TAKEAWAYS
- Risk-based system
The new rules of the AI Act will apply directly in the same way across all EU Member States, through a framework based on four different levels of risk: unacceptable risk, high risk, minimal risk, and specific-transparency risk.
Unacceptable-risk AI systems are AI systems considered a clear threat to the fundamental rights of people. This includes AI systems or applications that manipulate human behavior to circumvent users' free will. Such AI systems will be banned.
High-risk AI systems include certain critical infrastructures; medical devices; systems to determine access to educational institutions or for recruiting people; certain systems used in the fields of law enforcement, border control, administration of justice and democratic processes; and biometric identification. Such AI systems will be required to comply with strict requirements—including risk-mitigation systems, high quality of data sets, logging of activity, detailed documentation, clear user information, human oversight, and a high level of robustness, accuracy, and cybersecurity.
Minimal-risk AI systems are AI-enabled recommender systems or spam filters. These AI systems will not be subject to any obligations, as they present only minimal or no risk for citizens' rights or safety. It should be noted that it is expected that the vast majority of AI systems fall into this category.
Specific-transparency-risk AI systems refer to AI systems such as chatbots. Such AI-generated content will have to be labeled as such, and users need to be informed when biometric categorization or emotion recognition systems are being used.
- General-purpose AI and governance
According to the Commission, national competent market-surveillance authorities will supervise the implementation of the new rules at a national level, while the creation of a new EU AI Office within the Commission will ensure coordination at the EU level. The new AI Office will also supervise the implementation and enforcement of the new rules on general-purpose AI models. Along with the national market-surveillance authorities, the AI Office will be the first body globally that enforces binding rules on AI and is therefore expected to become an international reference point.
- Fines
Companies that are noncompliant with the AI Act will be fined (i) from EU€35M or 7% of global annual turnover (whichever is higher) for violations of banned AI applications; (ii) EU€15M or 3% for violations of other obligations and EU€7.5M; or (iii) 1.5% for supplying incorrect information.
More-proportionate caps are foreseen for administrative fines for small and medium enterprises (SMEs) and startups in case of infringements of the AI Act.
NEXT STEPS
The 2023 political agreement is subject to formal approval by the European Parliament and the Council, and will enter into force 20 days after publication in the Official Journal.
After this publication, the AI Act will become applicable two years after its entry into force, however prohibitions will already apply after six months while the rules on general-purpose AI will apply after 12 months.
To bridge the transitional period before the AI Act becomes generally applicable, the Commission will be launching an AI Pact. It will convene AI developers from Europe and around the world who commit on a voluntary basis to implement key obligations of the AI Act ahead of the legal deadlines.
CRITICISM
The AI Act is, however, not without controversy, as French President Emmanuel Macron has criticized its potential to in fact stifle innovation and, as such, regulate French AI innovators out of existence. Leaders from Germany and Italy have showed similar pushbacks and, along with France, have reached their own agreement on how AI should be regulated, which was extensively covered in the media in November 2023. The AI Act has also received challenges from industry groups like DigitalEurope for making compliance expensive. France is home to one of the leaders in European AI—Mistral AI.
WHAT CLIENTS SHOULD THINK ABOUT
Companies should assess the impact of the upcoming AI Act on their business and discuss with their legal teams how the passage of the AI Act may impact them in various EU jurisdictions. While the 2023 political agreement is subject to formal approval by the European Parliament and the Council, indication is that the additional compliance will certainly add risks to all structures, and compliance departments should prepare, and at least assess their risk appetite.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
