Data Privacy Alert: European Policymakers Agree on First Comprehensive AI Regulation
Why This Announcement Is Important
In December 2023, European policymakers reached agreement on the landmark Artificial Intelligence (AI) Act, the world’s first comprehensive regulation governing AI. Given the pace with which AI has swept across the global tech landscape, it’s notable that EU regulators aren’t afraid to put up some guardrails to ensure AI does not have a negative impact on its citizens.
Overview of the EU AI Act
On December 8, 2023, negotiators from the European Commission, Council of the European Union, and European Parliament reached an agreement on the AI Act. The law will serve as an early benchmark for countries (like the US) seeking to use this technology for the good of humanity while protecting against downsides like job losses, the spread of misinformation, and risks to national security. First proposed in 2021, the AI Act will likely not take effect until 2025.
The law applies to AI technologies that have broadly been categorized based on risk, with the riskiest uses banned completely, and less risky technology subjected to quality, transparency, supervision, security, and human rights impact assessments. The AI Act does not impose additional requirements on organizations collecting data to train Ais; they must comply with existing regulations as put forth in GDPR.
The act will be enforced by national level market regulators, while an EU AI Office will coordinate across the member countries. Companies found to violate provisions of the AI could reach up to 7% of global revenue or €35 million, whichever is higher, for unacceptable risk systems, and lesser penalties for other categories of violations.
What the EU AI Act Covers
- Unacceptable risk technologies, such as those that manipulate human behavior, use real-time biometric identification in public spaces, and social scoring are banned.
- High risk applications that pose threats to health, safety, or fundamental rights (such as those used in health, education, and law enforcement) are subject to obligations on quality, transparency, human supervision, and security both before and after they enter the market.
- Limited risk uses for AI, such as image, sound, or video manipulation, face requirements of notification of users and the right of users to opt out.
- Minimal risk applications include most AI uses, such as those used in video games or spam filters are not regulated, and existing national laws governing these AIs in the EU are revoked.
- General Purpose AI, which includes ChatGPT, are subject to transparency requirements, and those with exceptional computational ability must undergo a thorough evaluation.
Once again, the lawmakers in the EU are calling for more transparency and accountability for technologies with artificial intelligence features. And like GDPR, the EU is drawing attention and accountability for compliance through significant fines of up to 7% of global turnover. We keep coming back to the need to strike a balance between innovation and guardrails. Certainly no one disputes the need for limitations, so I see this law as largely uncontroversial in the abstract, but like a lot of theories, the real fight will be over the details, which we do not have yet. The good news is the EU is aware that they have a tough job to strike the right balance between protecting citizens and constraining innovation. A recent study by the Panel for the Future of Science and Technology concludes that while the GDPR covers aspects of AI, the law needs to be expanded and operationalized to address the current risks of AI as we know them.
Data Privacy Tip
While organizations rush headlong to embrace the potential of AI, there are risks that they should consider and take steps to mitigate. Fortunately, privacy professionals are in a good position to do so, since many foundational privacy principles apply to AI technology. Download our recent AI whitepaper for privacy professionals here!