AI Act Gets Final EU Approval: What Companies Can Do Now

Image: Unsplash

AI Act Gets Final EU Approval: What Companies Can Do Now

The European Council has approved headline-making legislation that will harmonize rules on artificial intelligence (“AI”) for all states in the 27-member bloc, marking the world’s “first horizontal and standalone law” governing AI. Following a vote ...

May 21, 2024 - By TFL

AI Act Gets Final EU Approval: What Companies Can Do Now

Image : Unsplash

Case Documentation

AI Act Gets Final EU Approval: What Companies Can Do Now

The European Council has approved headline-making legislation that will harmonize rules on artificial intelligence (“AI”) for all states in the 27-member bloc, marking the world’s “first horizontal and standalone law” governing AI. Following a vote in March, in which the EU Parliament voted in favor of enacting the AI-focused legislation, the European Council gave “the final green light” to the AI Act, a “ground-breaking” bill that aims to “foster the development and uptake of safe and trustworthy AI systems across the EU’s single market by both private and public actors.”

Not immediately effective, the AI Act still needs to be signed by the presidents of the European Parliament and of the Council, and then published in the EU’s Official Journal. It will enter into force twenty days after publication, and then “will apply two years after its entry into force, with some exceptions for specific provisions,” according to the European Council.

In light of the impending implementation of the new AI law, a high-level look at what the bill entails and how companies can prepare for it is warranted. Primarily, obligations that come in connection with the development/use of high-risk AI systems and transparency requirements for general-purpose AI systems are among some of the key tenets of the newly-approved AI Act … 

Banned applications: The new rules ban certain AI applications that threaten citizens’ rights, including biometric categorization systems based on sensitive characteristics and untargeted scraping of facial images from the internet or CCTV footage to create facial recognition databases. Emotion recognition in the workplace and schools, social scoring, predictive policing (when it is based solely on profiling a person or assessing their characteristics), and AI that manipulates human behavior or exploits people’s vulnerabilities will also be forbidden.

Law enforcement exemptions:  The use of biometric identification systems (“RBI”) by law enforcement is prohibited in principle, except in exhaustively listed and narrowly defined situations. “Real-time” RBI can only be deployed if strict safeguards are met, e.g. its use is limited in time and geographic scope and subject to specific prior judicial or administrative authorization. Such uses may include, for example, a targeted search of a missing person or preventing a terrorist attack. Using such systems post-facto (“post-remote RBI”) is considered a high-risk use case, requiring judicial authorization being linked to a criminal offence.

Obligations for high-risk systems: Clear obligations are also foreseen for other high-risk AI systems (due to their significant potential harm to health, safety, fundamental rights, environment, democracy, and the rule of law). Examples of high-risk AI uses include critical infrastructure, education and vocational training, employment, essential private and public services (e.g. healthcare, banking), certain systems in law enforcement, migration and border management, justice, and democratic processes (e.g. influencing elections). 

Such systems must assess and reduce risks, maintain use logs, be transparent and accurate, and ensure human oversight. Citizens will have a right to submit complaints about AI systems and receive explanations about decisions based on high-risk AI systems that affect their rights.

Transparency requirements: General-purpose AI (“GPAI”) systems, and the GPAI models they are based on, must meet certain transparency requirements, including compliance with EU copyright law and publishing detailed summaries of the content used for training. The more powerful GPAI models that could pose systemic risks will face additional requirements, including performing model evaluations, assessing, and mitigating systemic risks, and reporting on incidents. Additionally, artificial or manipulated images, audio, or video content (“deepfakes”) need to be clearly labelled as such.

Measures to support innovation and SMEs: Regulatory sandboxes and real-world testing will have to be established at the national level, and made accessible to SMEs and start-ups, to develop and train innovative AI before its placement on the market.

Action Steps for Companies: In light of the potential fines for violations of the AI Act (up to €35 million or 7 percent of annual worldwide turnover) and the wide scope of applicability (the Act applies to providers and deployers of AI systems that are located both in the EU and outside the EU in the event that their systems affect EU citizens, entities, or the EU market), companies are expected to start preparing ahead of the full set of regulations coming into effect by mid-2026.

In a recent note, Paul Hastings LLP’s Kimia Favagehi said that companies can act now by way: (1) assessing their AI systems for category of risk; (2) conducting adequate due diligence to ensure quality of data sets, privacy and security safeguards, and overall ethical use; and (3) consulting with experts to ensure your company complies with the various legal, business, and ethical considerations associated with AI.

At the same time, Simpson Grierson’s Michelle Dunlop, Karen Ngan and Richard Watts state that businesses that are currently developing and/or deploying AI would be well-advised to start preparing for the AI Act by: (1) auditing the use, development, and supply of AI systems within your business and its supply chains; (2) mapping and documenting relevant processes (eg databases, training, cybersecurity); (3) considering the level of risk your business’s current and/or proposed AI systems will likely fall under for the purposes of the AI Act, and understanding the applicable requirements; (4) conducting privacy impact and algorithmic assessments before AI systems are implemented/developed and putting in place procedures for ongoing risk identification; (5) reviewing existing contractual arrangements with third party providers and suppliers; and (6) taking note of the staggered compliance deadlines for enforcement under the AI Act.

related articles