A few days ago, the news broke about the provisional agreement on the European Artificial Intelligence Act. After negotiations took place between the Council and the European Parliament.
After this proposal was presented, the Council agreed on its position regarding the Regulation on 6 December 2022. And on 9 December 2023, the Council and the Parliament were finally able to reach an agreement on it.
1.Timeline
2. AIM of the artificial intelligence regulation
The new regulation represents a paradigm shift in the EU, but it will also impact the rest of the world, as was the case with the Data Protection Regulation, since it applies to:
- Providers placing on the market or putting into service AI systems in the Union, irrespective of their location.
- Users of AI systems located within the Union.
- Providers and users of AI systems that are located in a third country, where the output information produced by the system is used in the Union.
This regulation has a number of main aims:
- Create harmonised rules for the placing on the market, the putting into service and the use of Artificial Intelligence systems in the entire Union.
- Prohibitions of certain AI practices.
- Requirements for High Risk systems and obligations for operators of such systems.
- Transparency requirements.
- Rules on market monitoring and surveillance.
These aims focus on risk and ranges from complete prohibition to certain obligations.
It establishes practices that are completely prohibited in order to protect the rights and liberties of citizens, such as:
Following the approach on risk, the prohibited practices are followed by a classification of high-risk systems. For which conditions are set forth so that these systems are more viable from a technical perspective and are a smaller burden for the interested parties. The requirements are as follows:
Another notable aspect includes generative AI systems, which must comply with transparency criteria. These include clearly specifying when a text, song or photograph has been created using AI.
3.Penalties
The text also establishes a series of penalties for non-compliance with the guidelines, which the Member State must apply. This means they must notify the established penalty regime. These may reach:
- Administrative fines up to 30 M or 6% of the total worldwide annual turnover for the preceding financial year (non-compliance with the prohibition of prohibited practices).
- Administrative fines up to 20 M or 4% of the total worldwide annual turnover for the preceding financial year, for non-compliance with any requirement set forth in the regulation.
4. Artificial intelligence and GDPR
Whenever Artificial Intelligence Systems handle personal data, they must comply with all the provisions of the personal Data Protection Regulation: duty of information, basis for legitimacy, principles, etc.
One of the problems that may arise is that today AI commonly uses large amounts of personal data, and in order to comply with the provisions of the GDPR, it uses anonymised data.
With regards to anonymised data, GDPR does not apply but taking into account the significant technological advances that take place every day, the anonymised data of today may be pseudonymised tomorrow, which must comply with the requirements of the data protection regulation.
Another requirement for AI systems that handle personal data is the obligation to carry out a Data Protection Impact Assessment since it meets requirements that mean it must be performed: as innovatively used technology, mass data handling, etc.