EU regulation on AI in progress – what will it mean for your business?

The European Commission proposed a regulation on artificial intelligence (AI) on April 21, 2021, commonly called the AI Act (AIA). The regulation is aimed at ensuring the development and use of AI is safe, ethical, and respects fundamental rights, and would harmonise rules across the EU. The European Parliament is scheduled to vote on the AIA by the end of March 2023, and it is expected to be adopted within 2023. With AI undergoing an extremely rapid development these days, and a lot of businesses incorporating AI in their products and services at extreme speed, this new regulation should be on the radar as non-compliance can become expensive.

The AIA sets out various requirements, including a prohibition on the use of certain AI systems that pose a threat to the safety, livelihoods, or rights of individuals, obligations for providers to ensure their products comply with certain requirements, and the creation of a European Artificial Intelligence Board to oversee the implementation and enforcement of the regulation.

The AIA applies a risk-based approach, where AI systems are classified based on the risk associated with their use cases. It includes a ban on specific AI practices deemed to pose unacceptable risks, including the use of subliminal techniques to exploit users, social scoring, and AI systems used to manipulate human behaviour.

Furthermore, it provides for a range of requirements for so-called “high-risk” AI applications, such as decisional support systems used in the context of employment, education, provision of certain financial and insurance services, public management, law enforcement and administration of justice. This will include applications such as AI systems used to evaluate job applications or determine acceptance to universities, credit scoring systems, systems used to evaluate eligibility for welfare benefits, AI polygraphs and profiling systems used by law enforcement, and systems used by judicial authorities to interpret facts or the law.

The requirements for high-risk AI systems include requirements relating to data quality and data management, cyber-security and reliability, explainability and transparency, as well as risk management. These requirements will affect all stages of the AI systems’ lifecycle – from selecting training data sets to monitoring products that have been placed on the market.

A third category of AI systems, deemed to pose limited risks, will be subject to limited transparency requirements. This category includes AI systems that interact with people, such as chatbots, as well as biometric categorization systems, emotion recognition systems and systems that generate or manipulate images, audio or video content, such as the image generator DALL·E.

Interestingly, following the European Council’s review of the AIA, the Council suggested amendments that would include requirements specific to general-purpose AI systems, i.e., systems with generally applicable use cases, such as image classification and text generation. This would address some of the concerns raised around the use of these systems, such as the international attention around a Colombian judge who used ChatGPT in a ruling earlier this year.

The proposed regulation is a significant step towards ensuring that AI is developed and used in a safe, ethical, and responsible manner. Companies that use or develop AI, particularly those operating in high-risk sectors, will need to be prepared to meet the new regulatory requirements, which could lead to increased costs and administrative burdens – as well as risking fines of up to 6% of a company’s global turnover and being forced to withdraw their products from the market if they are not able to comply with the requirements.

At the same time, the proposed regulations could provide a competitive advantage for businesses that comply with the new standards, allowing them to demonstrate their commitment to ethical and trustworthy AI development. Since the AIA will harmonise rules across all EU countries, it can also lead to more legal certainty and clarity, as any conflicting requirements in local law will need to be repealed when the AIA is implemented.

Although it is expected that the AIA could enter into force by the end of 2023, the requirements will not apply overnight. The current draft includes a 36-month grace period from the day the regulation enters into force. But as part of product planning and development it is sensible to take the AIA into consideration.

Feel free to contact Hanne Heltne and Miriam Maria Biermann for any questions related to how this will affect your business.

Photo: Shutterstock