In April 2021, the European Commission published its proposal for a European Union regulatory framework on artificial intelligence (AI). The proposed AI regulation aims to protect European citizens from the potential risks of AI technology and practices. While most AI systems pose little risk, certain systems create risks that must be addressed to avoid harm to individuals.
The AI Act is widely understood to be the first attempt globally to regulate AI. There are many concepts in the regulation which take direct inspiration from the General Data Protection Regulation (the “GDPR”), particularly the extra-territorial scope; enforcement via administrative fines; and the establishment of a European Artificial Intelligence Board (“EAIB”).
The AI Act proposes a risk-based approach around the use and governance of AI systems.
The regulation defines different levels of risk in AI:
Unacceptable Risk: AI systems that are deemed to be a clear threat to safety, livelihoods, and rights of people will be prohibited
High-risk: AI systems that could be a threat to the safety of individuals or may affect their livelihood. These systems will be subject to strict obligations such as risk assessments before they can be introduced.
Low or minimal risk: When using these AI systems, users should be made aware that they are interacting with a machine so they can make informed decisions about their interaction. Most AI systems fall into this category. These are not in the scope of the regulation as they present limited or no risk to individuals’ rights or safety.
Enforcement and Governance
The Commission proposes that Member States will be required to appoint national supervisory authorities to supervise the application of the regulation. The creation of the EAIB has also been proposed to “facilitate a smooth, effective and harmonised implementation” of the regulation.
Penalties for Infringement
Just like the GDPR, Member States through their supervisory authorities will have the ability to issue appropriate penalties, including administrative fines for non-compliance with the AI Act.
The regulation sets out thresholds to be considered:
Up to €30m or 6% of the total worldwide annual turnover of the preceding financial year for infringements on prohibited practices or non-compliance related to requirements on data governance.
Up to €20m or 4% of the total worldwide annual turnover of the preceding financial year for non-compliance with any of the other requirements or obligations of the Regulation.
The proposed regulation is currently going through standard legislative procedure. In recent months the Czech Republic in its role as current EU council president has presented a compromised text. The AI Act will become law once both the Council and the European Parliament agree on a common version of the text. The regulation may enter into force on a transitional basis in 2023 and be fully adopted in early 2024. It is expected that the preparation and impact of the AI Act will be similar to that of the GDPR. Just like the GDPR, it is hoped that it will become the standard globally for the regulation of AI.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.