The next revolution in technology that will change our lives is both here and coming—Artificial Intelligence (AI). AI has been used for many years to more efficiently sort through data, learning as it goes, to spot patterns and make predictions, test those predictions against the data, and continually iterate (“machine learn”) until the results, at least arguably, are better (and certainly faster) than human ingenuity could do on its own. In recent months (not even years), AI has gone from better data analysis and predictive analytics to generating brand new content, sprung from the pattern-learned “brain” of a computer. As AI becomes more ingrained into our everyday experiences and the technologies we rely on, the challenges to harness its use and prevent its misuse have grown. State, federal and foreign legislators are responding in a variety of ways. Among the most comprehensive, aggressive and far-reaching pieces of legislation to curb potential misuse of AI is the European Union’s (EU) Proposal for a regulation of the European Parliament and of the Council on harmonised rules on Artificial Intelligence (the EU AI Act).
The EU AI Act is designed to protect the public from “high-risk” AI implementations, and does so through a series of strict procedures and enforcement mechanisms to hold virtually any party that puts an AI implementation in use in the EU accountable—even if that company is not based in the EU. While the Act categorically enumerates a variety of AI implementations that may be classified as high-risk, it is perhaps most notable for targeting those geared towards “social engineering.” That is, AI implementations which use behavioral or biometric data to assess persons for different purposes such as social scoring, admission to an educational institution, or to evaluate the reliability of evidence in a criminal proceeding will be targeted.
The accountability is in the form of third-party actions brought against the AI provider in member states, which are responsible for enforcing the law and laying down their own rules on penalties. Among the key provisions, “high risk” AI systems must undergo a conformity assessment procedure that requires review of technical documentation to determine compliance with the Act’s requirements, such as (i) the quality of datasets on which the AI system is trained, which should be “sufficiently relevant, representative, appropriately vetted for errors and as complete as possible in view of the intended purpose of the system,” (ii) the implementation of a risk management system, (iii) registration of the high-risk AI system in a dedicated EU database available to the public, and (iv) the signing of a declaration of conformity and affixation of the mark “CE” (Conformité Européenne) to the high-risk AI system. Additionally, high-risk AI systems must undergo a new conformity assessment procedure whenever they are substantially modified or demonstrate unexpected abilities. Conformity assessments are expected to be performed by or under the approval of the member state’s designated AI registrar, who therefore acts as not only the judge of the conformity assessment but also the jury in the role of hearing third party complaints for violations. Depending on which provisions of the EU AI Act are violated, non-compliant high-risk AI implementations can incur fines that reach over €30,000,000 or six percent of worldwide revenue, whichever is greater.
The EU AI Act has only gotten broader and more bold in its reach as it has passed through the legislative and committee process. It was approved by a huge majority in the EU Parliament on June 14, 2023, and it will now enter a negotiating period between the EU Parliament and its co-legislative body, the Council of the European Union. A final Act is expected to come into force by the end of this year. The EU AI Act is extraterritorial in its reach in that it poses challenges for any company that is going to use or make available any AI implementation or technologies in the EU (whether or not based within the bloc itself). Some of those challenges make the protection of proprietary technology more difficult, e.g., the requirements to publicly disclose algorithms and data sources and subject the AI implementation to testing by the AI registrar. Companies will also need to consider how the EU AI Act interacts with existing legislation, including in relation to data protection and intellectual property law requirements. The EU AI Act provides for a two-year transition period, so companies will need to use the time wisely to ensure they are compliant and able to navigate the burgeoning regulatory landscape.
[View source.]
