The proposed EU AI Act cleared an important hurdle last week, following the approval of the negotiating draft by MEPs on 14 June. The trilogue will now get underway – this is the three-way discussion between the European Parliament, Commission and Council – and we set out below some key takeaways from the recent vote.
- The Act could in theory be adopted in early 2024 and in force by 2026. If negotiations go smoothly (and there is a big “if”), the AI Act could be formally adopted as early as the beginning of 2024. At this point, the two-year transition period (reduced from three in the earlier draft) will begin. There is serious concern that two years will not be enough time to build up the infrastructure necessary for compliance across stakeholders (regulators, notified bodies, and industry) and all stakeholders should start preparing now.
- Much debate and a last-minute amendment focused on which AI use cases should be prohibited, specifically remote biometric identification, which can be used to identify individuals at a distance and at scale. Although the last minute amendment was not adopted, the debate – which pits security interests against individual freedoms and the risks of mass surveillance and is a politically sensitive balancing act – is likely to continue.
- Most companies will be more concerned about how permitted uses of AI are regulated, and how to manage the compliance burden the Act will impose on those who develop and deploy AI, both within their business and externally. The draft approved following this vote retains the more onerous provisions approved by MEPs in May, which significantly widened the scope of the regulation, by introducing a set of general principles for the development and use of AI applicable to all AI systems, irrespective of the risk that they pose, and broadening the scope of uses considered high-risk. You can read more about the provisions in our previous post EU AI Act: Top 10 Changes in the Latest Draft.
- The President of the European Parliament and the MEPs sponsoring the legislation have been clear about the desire for Europe to “lead the way” with strong AI legislation, specifically calling out the transparency obligations imposed on generative AI as an example of this.
- Implementation of the AI Act will present many challenges: interoperability with existing EU law, for example the Digital Services Act and GDPR, identification of national regulators, cooperation at an international level, and whether the Act is sufficiently flexible to deal with continuing evolution of AI technology.
- Companies that provide, deploy, operate, or distribute AI systems that touch the EU market should be undertaking a risk assessment to determine if they will be subject to the AI Act. This is not only relevant to companies domiciled in the EU – the AI Act has extraterritorial effect, applying to providers of AI systems placed in the EU market irrespective of whether they are established in EU, and to providers and deployers of AI systems that are established outside the EU if the output produced by the AI systems is used in the EU.
- The immediate focus should also be on ensuring that development and deployment of AI systems today complies with the relevant laws that are already in effect, including data privacy, product liability, human rights and discrimination laws (among others).
