As public awareness of the wide range of applications of artificial intelligence (AI) and machine learning technologies has rapidly increased in recent years, so too has the demand for ethical protections and transparency regarding how AI-based systems are used. With this objective in mind, the European Union announced in December 2023 that it had reached a provisional agreement on the basic content of the next Artificial Intelligence Act (AI Act or Act). The bill, which is expected to come into force between May and July 2024, has since been made public, giving stakeholders an early glimpse into the structure of the AI Act.
The AI Act aims to establish a “comprehensive legal framework for AI around the world.”[ing] Enabling trustworthy AI in Europe and beyond by ensuring that AI systems respect fundamental rights, safety, and ethical principles, and by addressing the risks of the most powerful and impactful AI models. Masu. ” See the European Commission's report on AI law. It will oversee the implementation and enforcement of the AI Act, but depending on the offense and the size of the company, fines can be hefty, ranging from €35 million or 7% of global revenue to €7.5 million or 1.5% of global revenue. There is a possibility that See EU Parliament Press Release of December 2023. Therefore, it is important for providers, developers, and implementers of AI models or AI-based systems to understand upcoming AI legislation and its impact on their business.
Fundamentals of AI law
First and foremost, the proposed AI law would require AI systems sold or used within the EU (for free), regardless of whether the provider or developer is established within the EU or another country, to Applies to providers and developers of AI technologies (including AI technologies that can be used). . AI Law Committee Draft, Title I, Art. 2(1) (2 February 2024); see also EU AI Act Explorer (Article 2). This is similar to the EU's General Data Protection Regulation (GDPR), which means that U.S.-based companies that sell or provide AI-based technology in the EU may be subject to penalties for violating the law. It means something. This law does not specifically address AI systems that process personal data of EU nationals. However, it states that existing EU law on personal data, privacy and confidentiality applies to the collection and use of such information for AI-based technologies. AI Law Commission Draft of Art. 2(5a).
The AI Act takes a risk-based approach to classifying AI systems into four tiers. These layers typically address 1) the sensitivity of the data involved, and 2) the specific AI use case or application. See the European Commission's report on AI law.
Source: European Commission Report on AI Law
AI practices that pose an “unacceptable risk” are expressly prohibited under the Act. These prohibited activities include marketing, offering, or using AI-based systems, such as:
- Using manipulative, deceptive, and/or covert techniques in a way that causes, or is likely to cause, serious harm to that person or others that he or she would not otherwise have made; influencing someone to make a decision
- due to a person's age, disability, or particular social/economic circumstances in order to affect that person's behavior in a way that causes or is likely to cause serious harm to that person or to others; take advantage of someone's vulnerability
- Use biometric data to classify individuals based on their race, political opinions, trade union membership, religious or philosophical beliefs, sex life or sexual orientation
- Create or expand facial recognition databases by untargeted collection of facial images from the Internet or closed-circuit television (CCTV) footage
AI Law Commission Draft, Title II, Provisions. 5(1)(a) to (ba), (db); see also EU AI Act Explorer (Article 5). See the complete list of prohibited AI activities. The heaviest penalties will be imposed on AI practices that create unacceptable risks, with companies potentially facing fines of up to 35 million euros, equivalent to 7% of annual revenue. whichever is larger.
The “high risk” system category is much broader than the “unacceptable risk” category and likely includes many AI applications already in use today. For example, high-risk applications of AI technology may include biometric identification systems, educational/vocational training or assessment systems, employment assessment or recruitment systems, financial assessment or insurance-related systems. See AI Law Commission Draft, Article 1. 6, Appendix III. See also EU AI Act Explorer (Article 6).
However, the exact boundaries of risky AI technologies are still unclear. The law makes clear that the system “does not pose a significant risk of harm.”[] Although “to the health, safety or fundamental rights of natural persons'' is not generally considered to be a high risk, the European Commission and the AI Secretariat have identified “to the health, safety or fundamental rights of natural persons'' that implementers can follow to ensure compliance with this requirement. It takes 18 months to create practical guidance. Law Commission Draft Article 6(2a), (2c). Companies should: 1) conduct appropriate evaluations of their systems or services before they are placed on the market; and 2) further evaluations may help avoid certain limitations that apply to their systems. there is. Provide the assessment to national authorities upon request. ID. With art. 6(2b).
At a minimum, developers and implementers using technologies that fall into the high-risk category should be prepared to comply with the following requirements of the AI Act:
- Register in the EU's central database
- A compliant quality control system has been introduced.
- Maintain proper documentation and logs
- undergo relevant conformity assessment;
- Adhere to high-risk AI usage restrictions
- Continue to ensure regulatory compliance and be prepared to demonstrate such compliance upon request
See AI Law Commission Draft, Article 1. Article 16 (Obligations of providers of high-risk AI systems) 60 (EU database for high-risk AI systems); see also EU AI Act Explorer (Article 16) (Article 60).
The AI Act also imposes transparency obligations on the use of AI and establishes certain limits on the use of general purpose AI models. For example, the law requires that AI systems intended to interact directly with humans be clearly marked as such, unless the circumstances make it obvious. See AI Law Commission Draft, Article 1. 52. Additionally, a general purpose AI model with “high impact features” (defined as a general purpose AI model with a cumulative amount of compute used during training per second measured in floating point operations greater than 10) )twenty five Additional restrictions may apply for floating point operations (FLOPs). See AI Law Commission Draft, Article 1. 52a(2); see also EU AI Act Explorer (Article 52a). Among other requirements, providers of such models must maintain technical documentation of their models and training results, adopt policies to comply with EU copyright law, and provide a detailed overview of the content used for training to the AI Office. must be provided. Same as above. With art. 52c(1); see also EU AI Act Explorer (Article 52c).
conclusion
This post highlights some of the biggest changes to the EU's upcoming AI law, but is not a comprehensive list of all proposed changes (some of which have not yet been confirmed). Is not). In any case, whether it applies to providers, developers or implementers of AI technology, the AI Law could significantly change the way companies operate within the EU and around the world. Leaders need to understand how these regulations may affect their companies and what strategies they can use to ensure they operate in compliance with their obligations once the new laws take effect. We need to take the time to understand if we can deploy it.
