February 2025

Yesterday, February 2, 2025, the first provisions of the EU AI Act went into effect, including those relating to AI literacy and prohibited systems. Prohibited systems include those that pose an unacceptable level of risk to fundamental rights, health, or safety, and penalties for their use can be up to €35 million or 7% of annual worldwide turnover. Providers and deployers of AI systems must ensure sufficient AI literacy for staff and agents. Compliance requires creating an inventory of AI systems, classifying them, and ensuring ongoing AI literacy training. Holistic AI offers a solution to simplify compliance with the EU AI Act.
November 2024

The EU AI Act addresses the use of biometric technologies and their implications for privacy, security, and fundamental rights. Biometric data is defined as personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person. The Act prohibits certain biometrics-related AI practices, such as real-time remote biometric identification systems in public spaces and biometric categorization systems inferring sensitive characteristics. Biometric verification is not prohibited but is still subject to GDPR and other applicable laws. High-risk biometrics-related AI systems, such as emotion recognition and remote biometric identification, must undergo a stricter conformity assessment involving a notified body. Organizations must evaluate their use cases against the Act's provisions to ensure lawful and ethical operation within the EU.
October 2024

The European AI Office has initiated the drafting process for the first-ever Code of Practice for general-purpose AI (GPAI) models under the EU AI Act. The Code of Practice will serve as a guiding framework to align with the stringent requirements of the Act and ensure compliance. Over 1,000 stakeholders are involved in the drafting process, which will span four rounds of reviews and consultations, with the final version expected to be published in April 2025. The Code of Practice provides guidelines for GPAI model providers to demonstrate compliance with legal obligations, including identifying and addressing systemic risks. If the Code of Practice is not ready or deemed inadequate by 2 August 2025, the European Commission may introduce common rules to ensure compliance with the AI Act.
September 2024

The EU AI Act focuses on data governance and management in AI development, with strict requirements for high-risk AI systems and general-purpose AI models to comply with. The Act also addresses the interplay between AI governance and personal data protection law, particularly the GDPR. The Act introduces new legal grounds for personal data processing and also mandates impact assessments to address risks to fundamental human rights and freedoms. However, AI technologies present unique challenges for privacy and personal data protection, and enterprises may need to navigate compliance with multiple regulatory frameworks. Proper preparation is vital to avoid the harsh consequences of non-compliance.

The UK is introducing the Public Authority Algorithmic and Automated Decision-Making Systems Bill (HL Bill 27) to regulate the use of automated and algorithmic tools in decision-making processes within public authorities. The proposed legislation applies to all algorithmic and automated decision-making systems developed or procured by public authorities, excluding those used for national security and routine calculations. The bill introduces requirements for algorithmic impact assessments, algorithmic transparency records, monitoring and auditing, employee training, and adherence to human rights and democratic values. The legislation aims to align with the Council of Europe's Framework Convention on AI.