February 2024
The EU has proposed the Harmonised Rules on Artificial Intelligence (EU AI Act) to lead the world in AI regulation and build trust in AI systems. The Act sets out a risk-based approach for AI systems, defines three levels of risk, and subjects certain AI systems to transparency obligations. The Act also introduces a three-tiered model of penalties for violators, with the heftiest fines imposed on those who violate the prohibition of specific AI systems. The EU AI Act has gone through an extended consultation process and has been subject to amendments throughout. Penalties can be issued to providers, deployers, importers, distributors, and notified bodies. The EU AI Act emphasizes proportionality and offers lower penalties for SMEs and startups. There is no union-wide central authority for imposing fines on AI operators, so penalties depend on the national legal system of Member States. The fines for providers of GPAI models and Union bodies are imposed by the Commission and the European Data Protection Supervisor, respectively.
The EU AI Act reached a provisional agreement on 9 December 2023 and was unanimously endorsed by Coreper I on 2 February 2024, making it likely to be official once voted on by the European Parliament in April 2024. After adoption, there will be a two-year grace period for implementation and enforcement, during which the Commission will conduct the AI Pact to encourage early commitment to the Act's rules and principles. Companies should begin preparing for compliance with the Act to maximize alignment. Holistic AI offers governance, risk, and compliance platforms and innovative solutions to help companies navigate the Act's rules and requirements.
The EU has set the gold standard for data protection regulation with the GDPR and is on its way to doing the same in the AI space with the AI Act. The Data Act, which is part of the European Data Strategy, governs connected products and related services' handling of data, including IoT devices, and requires full disclosure from companies on how they collect, store and share users' data. Data holders are bound to provide free, secure, and fair data access while safeguarding trade secrets and user confidentiality, affecting AI systems' deployment and functionality. The Data Act does not have specific provisions for AI systems, but it affects AI systems deployed in connection with connected products or related services. Compliance with the Data Act and the EU AI Act cannot automatically provide compliance with the other, but the requirements may affect each other. A holistic approach, using technical as well as regulatory tools concurrently, is needed to comply with both regulations.
January 2024
The European Commission has announced the creation of the European Artificial Intelligence Office (AI Office), a key part of the forthcoming AI Act. The office will contribute to the implementation and enforcement of the act, and will sit within the Commission's DG CNECT department. The AI Office will be financed by the Digital Europe Programme. The EU is expected to promote early voluntary compliance with the AI Act through the Commission and the AI Office. The act is likely to come into force in the coming months.
The Council of Europe has published a Draft Framework Convention on Artificial Intelligence, Human Rights, Democracy and the Rule of Law (DFC), which sets out principles and norms for AI aligned with human rights, democracy, and the rule of law. The Convention's primary objective is to ensure AI systems uphold these values throughout their entire lifecycle. The DFC aligns with the OECD by adopting the same definition for “AI system,” which is significant for clarity and consistency in international AI discourse and regulation. The Framework Convention does not classify specific use of AI systems as prohibited or high-risk systems but rather handles this issue at the level of the scope by covering all AI systems “that have potential to interfere with human rights, democracy, and the rule of law” and requiring appropriate risk assessment and mitigation measures to be implemented for all of them. The DFC does not specify what oversight mechanisms should be used but requires each party to establish or designate at least one effective mechanism to oversee compliance with the DFC. The enforcement of the DFC is multifaceted and involves a combination of national implementation, international cooperation, and a follow-up mechanism for oversight and consultation.