This is Part 1 in our series focused on tracking the development of the EU’s AI Act. The series will provide updates and commentary as the AI Act moves through the EU’s legislative process. To set the scene, the EU Commission first adopted its Proposal for a Regulation laying down harmonised rules on artificial intelligence (the Proposed Act) back in April 2021. In ways a ground breaking piece of draft legislation, it was one of the first attempts to implement a regulatory framework which was specific to the use of artificial intelligence (AI) technology. This article aims to summarise what the proposed regulatory framework would look like and how thinking on certain aspects of ultimate regulation may be developing. For context, it should be acknowledged that the world’s leading AI companies are rapidly expanding their operations in the EU. Even in the short period since the Proposed Act’s publication, there have been considerable developments both in how society has started to engage with AI technology, and in respect of the EU’s thinking on how best to regulate the sector. The EU is somewhat ahead of the curve when compared with jurisdictions like the UK or US, who are only starting to really consider the appropriate legal mechanisms for regulating AI (although last week’s Bletchley Declaration in the UK and the recent US presidential Executive Order in respect of AI are clear signals that AI is a legislative concern across the globe). However lawmakers are, in general, playing catch-up to the fast-paced development of innovations in the sector – a common issue in regulation of new technologies.
Development of the Regulation to Date Following the adoption of the Proposed Act by the Commission, the Council adopted its position, proposing a number of amendments (the Council Draft) in December 2022.Discussions on the Proposed Act in the European Parliament (EP) were particularly protracted, so it wasn’t until June 2023 that the EP adopted its position on the Proposed Act, proposing a separate set of amendments (the EP Draft). The EP, the Council and the Commission are currently engaging in a series of closed door, informal trilogue negotiations, whereby the amendments proposed in each draft will be considered, in the hopes of producing a final text of the regulation by the end of this year/early next year. Reporting suggests that negotiations have been difficult, as the institutions try to strike a balance between adequately protecting fundamental rights which could be impacted by AI, and allowing sufficient space for innovation and development of the technology and maximising the commercial and social benefits of AI.
System of Regulation The Proposed Act seeks to regulate AI systems through implementing a risk-based approach. It establishes a tiered scheme of obligations based on the perceived level of risk attached to an AI process – the higher the perceived risk, the more intensive the obligations, with certain uses of AI systems being prohibited entirely. The Annexes to the Proposed Act proscribe a set of AI practices which will be considered “high risk”. The relevant obligations extend to a broad range of aspects of the provision of AI systems, including ensuring certain standards of: risk management systems data and data governance technical documentation and record keeping transparency and provision of information to users human oversight accuracy and robustness The Proposed Act will apply to a number of actors along the chain of production and implementation of AI systems, including developers, users, end-product manufacturers, importers and distributors. Compliance with the regulatory framework will be assessed by accredited third party “conformity assessment bodies”, which will in turn be designated and monitored by designated Member State authorities. The Commission will be responsible for ensuring appropriate coordination and cooperation between the designated conformity assessment bodies. A new European Artificial Intelligence Board will also be established, responsible for issuing general recommendations and opinions. The maximum fine for the most serious failures of compliance provided under the Proposed Act is 6% of the relevant entity’s global annual turnover, with a sliding scale depending on the size of the entity and the type of infraction.
Ongoing Points of Negotiation As already noted, the provisions of the Proposed Act are still being negotiated and have been the subject of significant proposed amendments by both the EP and the Council. We set out the key ongoing points of negotiation below. The Scope of “AI” In its original draft, the Proposed Act focused on AI systems with a specific purpose. These were the AI systems which were to the fore of public discourse at the time of drafting – systems like AI driving technology or AI medical diagnosis techniques. Of course the most significant development in this space since the Commission’s original draft has been the widespread adoption of “general purpose”, generative AI technologies, trained on massive datasets, such as ChatGPT. This technological and social development, and its increasing adoption, has been a significant reason for the delays in the implementation process of the regulation, as the institutions responded to greater social awareness of the potential of AI technology and concern about its potential for harm and misuse. Both the Council Draft and the EP Draft have expanded the proposed definition of “AI” to explicitly reference generative AI. The EP Draft, building on the Council position, creates a new category of AI technology, calling it “foundation models”. A “foundation model” is defined as meaning: “an AI model that is trained on broad data at scale, is designed for generality of output, and can be adapted to a wide range of distinctive tasks“. Under the EP Draft, providers of foundation models would be subject to certain new obligations, specific to that categorisation, but similar to “high risk” obligations including obligations to: demonstrate the identification, reduction and mitigation of reasonably foreseeable risks to health, safety, fundamental rights, the environment and democracy and the rule of law train the foundation model only on datasets which are subject to appropriate data governance measures (in particular for suitability and to mitigate biases) register the foundation model in an EU database “Generative AI” models are defined as a subcategory of foundation models, to whom an even stricter set of new obligations will apply.
The EP Draft also provides a definition of a “general purpose AI system” describing it as: “an AI system that can be used in and adapted to a wide range of applications for which it was not intentionally and specifically designed“. The amended recitals explain the approach of the EP Draft; that a general purpose AI system can be an implementation, or reuse, of a foundation model. More stringent obligations would apply in relation to the development of foundation models because of the central and fundamental role they play, as a foundation on which further “downstream” uses can be based. In Annex I of the Proposed Act, the text explicitly noted that AI covered under the Act included not only machine learning techniques, but also more basic technologies like logic- and knowledge-based deductive systems, statistical approaches and Bayesian estimations (e.g. basic chatbots providing responses based on simple decision trees). Interestingly the EP Draft and the Council Draft propose deleting this Annex. Both do include a references to such simpler technologies in proposed amendments to the Recitals – with the EP Draft calling out in its recitals that “simpler techniques such as knowledge based approaches, Bayesian, estimation or decision-trees may also lead to legal gaps that need to be addressed by this Regulation, in particular when they are used in combination with machine learning approaches in hybrid systems”. So it would seem that while the EU institutions still consider that the regulation needs to extend to the “simpler” forms of AI, there is a clear shift in focus to primarily seeking to regulate the complex, deep learning technologies. Prohibited AI systems Article 5 of the Proposed Act sets out the AI practices which are intended to be completely prohibited. This list includes certain practices concerned with: use of subliminal techniques to distort a person’s behaviour; exploiting vulnerabilities of specific groups due to protected characteristics like age or disability; certain uses by public authorities to evaluate trustworthiness of people; and certain uses of real-time remote biometric identification systems by law enforcement The Council Draft proposes some limited amendments to this Article, mainly in respect of tweaking the rules concerning when law enforcement may avail of real time real-time…