On March 13th, 2024, almost three years after the initial draft of the proposed legislation was published by the European Commission, the European Parliament approved the Artificial Intelligence Act (the “AI Act”).
We are pleased to provide you with a short overview of the essential implications of the AI Act. This legislation represents a significant milestone in the regulation of Artificial Intelligence (AI) within the European Union and has wide-ranging implications for businesses operating in or with the EU.
Overview of the AI Act
The AI Act introduces a regulatory framework centered around a risk-based approach to AI, aiming to safeguard fundamental rights and ensure AI systems’ safety and transparency. The Act differentiates between prohibited AI practices, high-risk AI systems (to which most of the obligations under the AI Act apply), limited risk systems and minimal or no risk AI systems, with specific obligations for each. It also includes a specific category for general-purpose AI systems.
Prohibited AI Practices
The Act bans AI applications that pose unacceptable risks, including AI systems that manipulate human behavior to circumvent a person’s own free will, AI systems used to exploit people’s vulnerabilities, social scoring, making risk assessments of natural persons in order to assess or predict the likelihood of a natural person committing a criminal offense, scraping of facial images in order to create or expand facial recognition databases, emotion recognition in the workplace and educational institutions, and biometric categorization systems that use sensitive information (for example, political beliefs, sexual orientation, race, etc.).
High-risk AI Systems
This category includes AI systems with significant implications for individuals’ rights and safety, such as systems that operate critical infrastructure such as water supply or systems that use automated processing of personal data to assess various aspects of a person’s life, such as work performance, economic situation, health, reliability, behavior, location or movement.
High-risk AI systems must comply with the obligation laid down in the AI Act, taking into account their intended purposes as well as the generally acknowledged state of the art on AI and AI-related technologies.
Key obligations for these systems include comprehensive risk management and quality management systems, event logging, detailed instructions for use, technical documentation, human oversight, and fundamental rights impact assessments before deployment.
In addition, before introducing certain AI systems to the market or starting their use, they must be registered in the EU’s database for high-risk AI systems. Moreover, if a company outside the EU wants to offer its high-risk AI systems in the EU market, it must first appoint an authorized representative within the EU. This representative, designated through a formal agreement, will carry out specific responsibilities as outlined in their mandate.
Transparency Obligations
AI systems that are intended to interact directly with natural persons are subject to transparency obligations, including an obligation to design and develop the system in a manner that such persons are informed that they are interacting with an AI system. Providers of AI systems, including GPAI systems, generating synthetic audio, image, video or text content, must ensure that the outputs of the AI system are marked in a machine-readable format and are detectable as artificially generated or manipulated. Additionally, providers of AI systems that generate or manipulate image, audio or video content constituting a deep fake, must disclose that the content has been artificially generated or manipulated.
General Purpose AI Models
Companies that provide General Purpose Artificial Intelligence (GPAI) models have specific responsibilities under the AI Act. They must: draw-up technical documentation and keep it up-to-date, put in place policies to comply with EU copyrights laws, and make a detailed summary about the content used for the training of the GPAI publicly available
For GPAI models that pose a systemic risk — meaning a risk that is specific to the high-impact capabilities of GPAI models, having a significant impact on the EU market due to their reach or due to actual or reasonably foreseeable negative effects on the public — additional duties apply. These include: conducting model evaluations, assessing and mitigating systemic risks and reporting obligations to the EU Commission.
Innovation Support through Regulatory Sandboxes
The Act encourages innovation by allowing the establishment of regulatory sandboxes, that provide a controlled environment that fosters innovation and facilitates development, training, testing and validation of innovative AI systems before they are placed on the market or put into service.
Rights and Complaints
The AI Act allows anyone who believes there has been a violation of its rules to file a complaint with the appropriate authority. Furthermore, if a person is impacted by a decision made with the help of a high-risk AI system, they have the right to receive a clear and detailed explanation from the system’s deployer. This explanation must cover how the AI system was used in making the decision and the key factors that influenced the final decision.
To Whom Does the EU AI Act Apply?
The AI Act applies not only to companies established in the EU, but also to non-EU companies as follows:
- providers putting into service or placing on the market AI systems or GPAI models in the EU;
- providers and deployers of AI systems the output of which is used in the EU;
- authorized representatives in the EU of providers which are not established in the EU.
There are certain exemptions to the applicability of the AI Act, including AI systems that are used for the sole purpose of scientific research and development, or that are exclusively used for military or defense purposes.
Enforcement and Sanctions
The AI Act will be enforceable enter into force within twenty days of its publication in the Official Journal of the European Union and most of its provisions will apply 24 months from its entry into force, with some exceptions for specific provisions (such as those relating to prohibited AI practices which shall become effective only 6 months after the publication in the Official Journal).
Non-compliance with the AI Act could lead to the imposition of fines amounting to up to the higher of 35 million euro or 7% of the company’s global turnover, depending on the type of violation and the size of the company (in the case of SMEs, including start-ups, the fine shall be the lesser of the two).
Preparation is Key
Taking into account the scope of the obligations to be imposed and the high penalties that companies may face if they fail to adhere to these obligations, it is critical for businesses developing AI systems or using AI systems in the EU or in connection with EU customers, to understand the implications of the AI Act and to prepare for its entry into force.
Gornitzky’s AI Group offers a broad range of legal services tailored to address the evolving legal and regulatory challenges in the field of AI. For more information about our AI practice visit our AI page.
Please feel free to contact us with any questions that you have on this matter.
This update is intended to provide general and concise information only. It does not constitute a full or complete analysis of the issues discussed and does not constitute a legal opinion or advice and therefore, should not be relied upon.