Artificial intelligence: The path to regulation

Thanks to Chiara Snider for collaborating on this article

This article has been also published on the EACCNY website  on June 3, 2021.

The European Union (“EU”) has taken on the ambitious and innovative—as well as delicate—challenge of regulating the use of artificial intelligence (“AI”). The European Commission published recently—on April 21, to be exact—its proposed regulation on a European approach to artificial intelligence (the “AI Regulation” or “Draft”). This is actually the first worldwide attempt to regulate AI at a systematic level and this point has been reached only after several proposals were drafted to try to meet the need to regulate this matter. In a nutshell, the AI Regulation is to be followed by a proposal for a new regulation on machinery products that focuses on safe integration of AI systems into devices, as well as a new coordinated plan for AI that outlines the necessary policy changes needed at the Member State level to bolster the EU’s leading position in trustworthy AI.

The draft AI Regulation is part of a broader agenda in the EU focusing on availability and use of industrial and personal data. It aims to establish a European model for the development and use of AI systems that ensures an EU market for AI systems that balances related benefits and risks. Indeed, the EU goal is to secure a place in the top ranks of technological leadership alongside the United States and China without sacrificing the values and principles of the shared legal system. In fact, AI is pervasive in many services and tools that we use every day. It is important to set limits so as not to trample on the fundamental rights of individuals.

The Draft provides a set of rules, under a risk-based approach, to establish the conditions for an ecosystem of trust regarding placing on the market, putting into service, and using AI systems in the EU. The most relevant aspects are summarized below:

  • AI definition: The AI Regulation broadly defines AI systems as all software developed with techniques capable of generating outputs, such as content, predictions, recommendations, and decisions that influence the environment with which they interact (e.g., machine/deep learning systems);
  • Territorial scope of application: The AI Regulation applies not only to all European operators, but also to those suppliers and users established outside the EU whose “output” from the systems developed or used by them is used within the EU. In this respect, certain exclusions apply. Indeed, AI systems used exclusively for military purposes do not fall under the AI Regulation. Moreover, The AI Regulation does not apply either to public authorities in third countries or to international organizations, unless such authorities or organizations use AI systems in judicial or investigative programs in cooperation with the EU or a Member State;
  • Levels of risk: The Draft provides three levels of risk (low or medium, high, and unacceptable) to identify the different uses of AI systems. Most of the AI Regulation’s requirements address the AI systems that create a high risk “to the health and safety or fundamental rights of natural persons.” The list of high-risk AI systems includes applications in various industries, such as banking and finance, social media, HR, and public services, but the commission could update this list. In such circumstances, the relevant AI systems providers shall, inter alia, (i) set up and comply with a risk management system; (ii) follow specific quality criteria for the data and models used; (iii) comply with specific transparency obligations ; (iv) ensure that their AI systems can be subject to human oversight; and (v) guarantee the accuracy and reliability of such systems, including in connection to cybersecurity. Providers of high-risk AI systems must assess compliance with such requirements in accordance with the compliance assessment procedures set out in the draft AI Regulation; 
  • Prohibitions: Where the risk is unacceptable, some prohibitions are imposed. Indeed, an AI system that subliminally modifies a person’s consciousness or exploits any of the vulnerabilities of a specific group of persons due to their age, physical, or mental disability enough to cause them physical or psychological harm cannot be placed on the market, put into service, or used. Furthermore, the use of social scoring systems (such as those used in China) by public authorities or those acting on their behalf is prohibited. It is interesting to note, also, that the use of “real-time” remote biometric identification systems in publicly accessible spaces for the purpose of law enforcement is not permitted, unless strictly necessary for (i) the targeted search for specific potential victims of crime (including missing children); (ii) the prevention of a specific, substantial, and imminent threat to the life or physical safety of natural persons or of a terrorist attack; or (iii) the detection, localization, identification, or prosecution of a perpetrator or suspect punishable by a sentence of at least three years for certain offenses (Section 2 of Decision 2002/584/JHA, which includes, inter alia, terrorism, trafficking in human beings, child pornography, and other offenses.). Notably here, Member States are left free—probably too free—to regulate their use;
  • Sandbox opportunities: The AI Regulation would allow domestic regulators to provide regulatory sandbox schemes and require Member States to grant services and facilities to startups and small-medium scale companies; and
  • Sanctions and enforcement: The applicable sanctions would be even greater than those provided in the GDPR. There are different brackets depending on the type of violation. The relevant authorities, identified by each Member State, will be able to impose administrative sanctions of up to EUR 30 million or 6% of annual worldwide turnover for violations of the AI Regulation. On the enforcement side, the AI Regulation calls for the creation of a European Committee for AI with the specific task of monitoring the correct application of the AI Regulation in the various Member States and of drawing up guidelines on the subject.

To recap, although there is still a long way to go before the AI Regulation is approved and enters into force, it undoubtedly has historical, perhaps even revolutionary significance. The road ahead will not be easy: the greatest challenge will be to come up with a solution to the most problematic aspects of this continually evolving industry. A long-term view must be adopted, or the law runs the risk of quickly becoming obsolete. The only thing left to do is to stay updated on the next steps and moves of the EU Parliament and Council.

Follow us on