While the European Union is not John Connor, and ChatGPT is certainly no Skynet, the EU has taken a bold first step in attempting to protect our society and the “fundamental rights of a person”[1] from the risks that come with the rapidly advancing development of more and more powerful artificial intelligence (AI) models.
What Happened? The European Council Approved the EU AI Act
On February 2, 2024, the European Council (consisting of representatives from each of the 27 member states) unanimously voted to approve the groundbreaking European Union Artificial Intelligence Act (the “EU AI Act” or the “Act”)[2] – a global first of its kind attempt to introduce a comprehensive set of AI regulations.[3] The legislation was then officially signed off on by the European Parliament on March 13, 2024. Now, the Act will be subject to a final lawyer-linguist check, before being published in the EU’s Official Journal and then enter into force twenty days after publication.[4] From there, the Act will apply on a rolling basis, with the Act’s prohibitions applying after six months, the codes of practice after nine months, the rules covering General Purpose AI (GPAI) after 12 months, the obligations for high-risk systems after 36 months, and finally, the majority of the Act will take effect after a two year grace period designed to allow for time to prepare for compliance, and to establish effective oversight.[5] The Act took months of intensive “trialogue negotiations between the EU Commission, Parliament, and Council.”[6] Some of the most contentious issues were: what would be included in the high-risk or prohibited categories, how the Act would be enforced, and how to handle GPAI models such as foundation models and generative AI systems like ChatGPT.[7]
What Does the Act Do?
With the EU AI Act, the EU seems to be attempting to strike an important balance between promoting innovation and recognizing risk. The EU recognizes and seeks to promote the exciting range of “economic and societal benefits” that artificial intelligence technologies can bring to various sectors of society.[8] However, the EU’s world first attempt at comprehensively corralling this game-changing new technology is meant to acknowledge the upside, while also being extremely careful to address the risks associated with AI, recognizing the technologies’ potential to, “jeopardise fundamental rights such as the right to non-discrimination, freedom of expression, human dignity, personal data protection and privacy.”[9]
The EU AI Act, attempts to strike this balance using a tiered set of regulations, classifying AI models using four categories of risk: unacceptable risk, high risk, limited risk, and minimal risk.[10]
AI systems categorized as presenting an unacceptable risk will be banned all together, these include: biometric categorization systems based on protected traits, emotion recognition systems in a workplace or educational setting, untargeted facial image scrapping to create facial recognition databases; social scoring; systems manipulating people’s free will, and AI used to exploit people’s vulnerabilities (ex: age, disability, etc.).[11] One notable exemption, is that real time biometric identification systems can be used by law enforcement, in limited circumstances, and under very narrow safeguards.[12]
Next, the high-risk category of AI systems may be the most complicated, as the determination will depend on a series of factors regarding how the system is used and in what industry or product line it is used in.[13] Products under the EU’s product safety legislation will be covered here, such as toys, aviation, automobiles, medical devices, and elevators.[14] Additionally, there will be a litany of use-cases in high-risk areas that will be covered, including: law enforcement, critical infrastructure, educational training, employment, border control, and the judicial or democratic processes.[15] These high-risk systems will need to, “adhere to regulations that require rigorous testing, proper documentation of data quality and an accountability framework that details human oversight.”[16] High risk systems will therefore be required to “assess and reduce risks, maintain use logs, be transparent and accurate, and ensure human oversight.”[17] Thus, high-risk AI systems will be assessed before they are allowed to enter the market and as they are used on the market,[18] as they will be subject to registration and oversight, likely from the new EU AI Office.[19] These companies will also be held accountable in several forms, from fundamental rights impact assessments, to private citizens with the right to launch complaints.[20]
On the other hand, AI systems deemed a limited risk, including chatbots and systems that can create deepfakes, will just need to comply with transparency obligations such as notifying their users that the content they are interacting with is AI generated (e.g. AI generated text, audio, video, etc.).[21] Finally, the remaining systems, including AI used in everything from video games to spam filters, will be considered minimal-risk and allowed to be used freely.[22]
However, after much debate, the EU will also be separately regulating the extremely powerful GPAIs that have recently come to prominence, such as ChatGPT,[23] with a separate, two-tiered system.[24] The first tier covers all GPAI systems and requires transparency regarding their training methods & data, adherence to copyright laws, and ability to identify content as AI generated.[25] However, those deemed to present “systematic risk” based on various benchmarks measuring size and power, will have to adhere to a much stricter tier of regulations, including strict safety testing and evaluations before releasing products to the market, assessing and mitigating systematic risks, cybersecurity assessments, continued oversight, and the continued reporting of issues.[26]
To administer and enforce the Act, the EU has established an AI Office, which will be accompanied by a scientific panel of independent experts, an AI Board consisting of representatives from EU member states, and an advisory forum for stakeholders.[27] As for the potential penalties, if things stay as currently proposed, penalties could range from €7.5 million or 1% of annual global turnover, all the way to €35 million or 7% of annual global turnover – depending on the size of the company and the nature of the infringement.[28]
What Does This Mean for the Business World?
The EU AI Act has faced backlash from some major European companies – in the form of an open letter signed by 150 executives, from companies such as Airbus, Renault, and Heineken.[29] Their concern is that the EU will too heavily regulate generative AI and foundation models, regardless of their use, which could make the cost of compliance too high and handicap their productivity, and thus competitiveness, compared to other countries like the United States – potentially leading to companies leaving the EU. [30] Thus, in their open letter, these executives suggest the EU should take a more industry-conscious approach.[31] However, Dragoș Tudorache, a member of the European Parliament who led the development of the Act, pushed back at these companies by arguing that they were being too reactionary, as the Act actually gives them exactly what they want: “an industry-led process for defining standards, governance with industry at the table, and a light regulatory regime that asks for transparency. Nothing else.”[32]
However, regardless of this back and forth, the Act is here to stay, so companies will have to prepare themselves to achieve compliance.[33] Companies will likely begin by performing some form of “gap analysis” in which they review where their current systems stand in terms of complying with the Act’s requirements – as some, who are more AI safety focused, may be much closer than others.[34] Furthermore, companies will have to weigh just being compliant versus taking extra steps to go above and beyond to ensure their reputation is protected if they do something technically permitted, but still questionable.[35] In the end, this question will be crucial for businesses utilizing AI because, “[t]he board is ultimately responsible for protecting the organization from short- and long-term ethical, reputational, and regulatory risks.”[36]
Subsequently, it is possible that the EU AI Act serves as another example of the “Brussels Effect” – a term first coined to describe the effect the EU’s General Data Protection Regulation (GDPR) had on regulating data privacy throughout the rest of the world.[37] The Brussels Effect is essentially, “the phenomenon where the markets are transmitting the EU’s regulations to both market participants and regulators outside the EU.”[38] Thus, there are two types of the Brussels Effect.[39] First, the de facto type, in which corporations respond to the EU’s regulations by simply conforming their behavior globally, because it would cost less to just comply across the board, rather than to operate in several different region-specific ways.[40] Therefore, when corporations discuss how to build their compliance systems in response to the EU AI Act, they may just decide to implement these compliance protocols in every jurisdiction in which they operate.
Additionally, the de jure Brussels Effect refers to foreign governments following the path of the EU, with similar regulation, because their multinational corporations will be incentivized to lobby for equivalent regulation back home to avoid being at a disadvantage in relation to their domestic competitors.[41] Globally, we may already be seeing this predicted reaction from foreign governments, such as in the United States, which started off lenient but has begun to respond to increasing calls for regulation.[42] “Furthermore, in the context of the newly established EU-US tech partnership (the Trade and Technology Council), the EU and USA are seeking to develop a mutual understanding on the principles underlining trustworthy and responsible AI.”[43]
Thus, the EU AI Act will be an important item to keep an eye on through its implementation, as it serves as a world first attempt to regulate AI that could have a truly global effect.
*Special thanks to Professor Aniket Kesari for giving me his permission to publish this post on the JCFL blog, as it will be, in parts, excerpts of my larger paper-in-progress for the Law and Technology Survey class.
[1] Spencer Feingold, The European Union’s Artificial Intelligence Act, Explained, World Econ. Forum (June 30, 2023), https://www.weforum.org/agenda/2023/06/european-union-ai-act-explained/.
[2] Luke Carberry Mogan, EU approves AI Act: The global implications for Big Tech, Yahoo! Fin. (Feb. 8, 2024) (Rachelle Akuffo and Akiko Fujita interviewing Alexis Keenan), https://finance.yahoo.com/video/eu-approves-ai-act-global-171057729.html.
[3] Id.; European Parliament Press Release, Artificial Intelligence Act: deal on comprehensive rules for trustworthy AI (Dec. 9, 2023), https://www.europarl.europa.eu/news/en/press-room/20231206IPR15699/artificial-intelligence-act-deal-on-comprehensive-rules-for-trustworthy-ai.
[4] Carberry Mogan, supra note 3; Elizabeth Gibney, What the EU’s tough AI law means for research and ChatGPT, Nature (Feb. 16, 2024), https://www.nature.com/articles/d41586-024-00497-8; Reid Blackman and Ingrid Vasiliu-Feltes, The EU’s AI Act and How Companies Can Achieve Compliance, Harvard Bus. Review (Feb. 22, 2024), https://hbr.org/2024/02/the-eus-ai-act-and-how-companies-can-achieve-compliance; European Parliament Press Release, Artificial Intelligence Act: MEPs adopt landmark law (Mar. 13, 2024), https://www.europarl.europa.eu/news/en/press-room/20240308IPR19015/artificial-intelligence-act-meps-adopt-landmark-law#:~:text=The%20new%20rules%20ban%20certain,to%20create%20facial%20recognition%20databases.
[5] Clara Hainsdorf, Tim Hickman, Dr. Sylvia Lorenz, & Jenna Rennie, Dawn of the EU’s AI Act: political agreement reached on world’s first comprehensive horizontal AI Regulation, White & Case Tech Newsflash, White & Case LLP (Dec. 14, 2023), https://www.whitecase.com/insight-alert/dawn-eus-ai-act-political-agreement-reached-worlds-first-comprehensive-horizontal-ai; European Parliament Press Release, supra note 5.
[6] Id.
[7] Id.
[8] Tambiama Madiega, EU Legislation in Progress Briefing – Artificial Intelligence Act, European Parliamentary Rsch. Serv. (PE 698.792) (Jun. 2023), https://www.europarl.europa.eu/RegData/etudes/BRIE/2021/698792/EPRS_BRI(2021)698792_EN.pdf.
[9] Id.
[10] European Commission – Shaping Europe’s Digital Future, AI Act, European Commission, https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework ai#:~:text=The%20AI%20act%20will%20be,%2C%20safety%2C%20and%20ethical%20principles.
[11] David A. Simon, Pramode Chiruvolu, Nicola Kerr-Shaw, Eve-Christie Vermynck, & Susanne Werry, Latest Text of EU AI Act Proposes Expanding Obligations for High-Risk and General AI Systems and Banning a Third Category, Skadden Publication, Skadden, Arps, Slate, Meagher & Flom LLP (Feb. 5, 2024), https://www.skadden.com/insights/publications/2024/02/latest-text-of-eu-ai-act-proposes-expanding-obligation; The New EU AI Act – the 10 key things you need to know now, Dentons (Dec. 14, 2023), https://www.dentons.com/en/insights/articles/2023/december/14/the-new-eu-ai-act-the-10-key-things-you-need-to-know-now.
[12] European Parliament Press Release, supra note 5.
[13] Simon et al., supra note 12; European Comm’n, supra note 11.
[14] European Parliament Press Release, EU AI Act: first regulation on artificial intelligence (Jun. 8, 2023, updated Dec. 19, 2023), https://www.europarl.europa.eu/news/en/headlines/society/20230601STO93804/eu-ai-act-first-regulation-on-artificial-intelligence.
[15] Id.; Simon et al., supra note 12; European Commission, supra note 11.
[16] Feingold, supra note 2.
[17] European Parliament Press Release, supra note 5.
[18] European Parliament Press Release, supra note 15.
[19] European Commission to Establish AI Office, Privacy & Information Security Law Blog, Hunton Andrews Kurth LLP (Feb. 22, 2024), https://www.huntonprivacyblog.com/2024/02/22/european-commission-to-establish-ai-office/.
[20] European Commission, supra note 11; Hainsdorf et al., supra note 6; Simon et al., supra note 12.
[21] European Commission, supra note 11; Hainsdorf et al., supra note 6.
[22] European Commission, supra note 11.
[23] Feingold, supra note 2.
[24] Gibney, supra note 5; Simon et al., supra note 12; European Parliament Press Release, supra note 4.
[25] Gibney, supra note 5; Simon et al., supra note 12; European Parliament Press Release, supra note 5.
[26] Gibney, supra note 5; Simon et al., supra note 12; European Parliament Press Release, supra note 5.
[27] Dentons, supra note 12.
[28] Id.; Simon et al., supra note 12.
[29] Javier Espinoza, European companies sound alarm over draft AI law, Fin. Times (Jun. 30, 2023), https://www.ft.com/content/9b72a5f4-a6d8-41aa-95b8-c75f0bc92465?accessToken=zwAF_1mupyDQkdObcqX0pthBqtOVuMdfC8kkZQ.MEQCICFSjgLLOFtOcf2uNQeEHuDVNzyB-S4IEQwpNYvRF_FGAiAPR1Y5nZlOajpQQW_fDC0smi3CX2Hox9sePHo7KElMIw&sharetype=gift&token=bfc9af31-bc71-4ddd-91a5-15c2bb2e0b32.
[30] Id.
[31] Id.
[32] Id. (quoting remarks made by Dragoș Tudorache).
[33] Blackman and Vasiliu-Feltes, supra note 5.
[34] Id.
[35] Id.
[36] Id.
[37] Carberry Mogan, supra note 3; Anu Bradford, The Brussels Effect: How the European Union Rules the World (Oxford University Press, online ed. 2019), https://doi-org.fls.idm.oclc.org/10.1093/oso/9780190088583.001.0001.
[38] Bradford, supra note 37 at 1.
[39] Id. at 2.
[40] Id.
[41] Id.
[42] Madiega, supra note 9 at 2.
[43] Id.
