On April 21, 2021, the European Commission unveiled a proposal for a “Regulation laying down harmonized rules on Artificial Intelligence” (“AI Regulation”), which sets out how AI systems and their outputs can be introduced to, and used in, the European Union (“EU”).
This proposal is part of a broader Commission strategy on digital technology, including a proposal for a new Regulation on Machinery Products, which focuses on the safe integration of the AI system into machinery, as well a new coordinated plan on AI.
Broad definition of AI
The Commission has decided to use the notion of "AI system", which it intends to define clearly to reconcile legal certainty and flexibility for the future.
Thus, Article 3.1 of the AI Regulation defines "AI system" as a software that is developed with one or more of the techniques and approaches listed in Annex I and can, for a given set of human-defined objectives, generate outputs such as content, predictions, recommendations, or decisions influencing the environments they interact with.
The AI techniques and approaches referred to in Article 3.1 are the following (Annex 1):
- Machine learning approaches, including supervised, unsupervised and reinforcement learning, using a wide variety of methods including deep learning,
- Logic- and knowledge-based approaches, including knowledge representation, inductive (logic) programming, knowledge bases, inference and deductive engines, (symbolic) reasoning and expert systems, and
- Statistical approaches, Bayesian estimation, search and optimization methods.
Material and territorial scopes
All aspects of the lifecycle of the development, sale and use of AI systems are covered, i.e., (i) placing AI systems on the market, (ii) putting AI systems into service, and (iii) making use of AI systems.
All those involved in undertaking these activities (whether as a provider, user, distributor, importer, or resellers) will be subject to a level of regulatory scrutiny.
This also extends to providers or users of AI systems who are located outside the EU if they are placing AI systems into service in the EU or using the outputs derived from the AI systems operating in the EU.
The territorial scope here echoes the extra-territorial effect of the General Data Protection Regulation (GDPR).
The AI Regulation shall not apply to AI systems developed or used exclusively for military purposes though.
Compliance review of high-risk AI systems
The proposal follows a risk-based approach, differentiating between uses of AI that create (i) an unacceptable risk, (ii) a high risk, and (iii) low risk.
(i) Title II of the AI Regulation establishes a list of prohibited AI systems whose use is considered unacceptable as contravening Union values, for instance by violating fundamental rights. The prohibitions cover practices that have a significant potential to manipulate persons through subliminal techniques beyond their consciousness or exploit vulnerabilities of specific vulnerable groups such as children or persons with disabilities to materially distort their behavior in a manner that is likely to cause them or another person psychological or physical harm.
(ii) Title III of the AI Regulation contains specific rules for AI systems that create a high risk to the health and safety or fundamental rights of natural persons.
Annex III lists the areas concerned by these AI systems:
- Biometric identification and categorization of natural persons,
- Management and operation of critical infrastructure,
- Education and vocational training,
- Employment, workers management and access to self-employment,
- Access to and enjoyment of essential private services and public services and benefits,
- Law enforcement,
- Migration, asylum and border control management, and
- Administration of justice and democratic processes.
In line with a risk-based approach, those high-risk AI systems are permitted on the European market subject to compliance with certain mandatory requirements and an ex-ante conformity assessment.
Indeed, the proposal sets out the legal requirements for high-risk AI systems in relation to data and data governance, documentation and recording keeping, transparency and provision of information to users, human oversight, robustness, accuracy and security.
A clear set of horizontal obligations are placed on providers of high-risk AI systems. Proportionate obligations are also placed on users and other participants across the AI value chain (e.g., importers, distributors, authorized representatives).
(iii) Title IV of the AI Regulation sets forth transparency obligations for limited-risk systems that (i) interact with humans, (ii) are used to detect emotions or determine association with (social) categories based on biometric data, or (iii) generate or manipulate content (‘deep fakes’).
The AI Regulation provides that failure to comply with certain sensitive provisions (i.e., prohibited AI practices and high quality of data sets concerning high-risk AI systems) shall be subject to administrative fines of up to EUR 30 million or, if the offender is company, up to 6 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.
Non-compliance with any other requirements applicable to AI systems would result in fines of up to EUR 20 million or, if the offender is a company, up to 4 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.
Measures in support of innovation
To promote innovation, the AI Regulation would enable national regulators to establish regulatory sandboxes schemes and require Member States to provide certain services and facilities to small-scale providers, start-ups, and users.
National competent authorities
Member States must designate national competent authorities and a national supervisory authority responsible for providing guidance and advice on implementation of the AI Regulation, including to small-scale providers.
European Artificial Intelligence Board
The proposed rules will be enforced through a cooperation mechanism at Union level with the establishment of a European Artificial Intelligence Board (“Board”), composed of representatives from the Member States and the Commission.
The Board will (i) contribute to the effective cooperation of the national supervisory authorities and the Commission and (ii) provide advice and expertise to the Commission. It will also collect and share best practices among the Member States.
The European Parliament and the Council of the EU will now review and discuss the Commission's proposals, which could result in modifications. Both institutions must approve the final text under qualified majority before the AI Regulation and the Machinery Regulation take effect.
For more information : https://eur-lex.europa.eu/procedure/FI/2021_106
The territorial scope here echoes the extra-territorial effect of the General Data Protection Regulation (GDPR)