EU Publishes Artificial Intelligence Act

On July 12, 2024, the EU Artificial Intelligence Act, or Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonized rules on artificial intelligence was published in the Official Journal of the European Union, more than three years after the original proposed text was published in April 2021. 

The EU Artificial Intelligence Act sets out harmonized rules for the development, marketing, and use of AI systems within the European Union, its primary goals being to ensure that AI is human-centric, trustworthy, and in line with European values, while also promoting innovation, protecting public interests, and safeguarding fundamental rights such as health, safety, and democracy.

Having reached this milestone, the EU AI Act will enter into force on August 1, 2024 and will become applicable as of August 2, 2025, with some exceptions. 

Below we include a short summary of the key points of the Artificial Intelligence Act: 

How does the EU Artificial Intelligence Act define Personal Information and what are other key definitions?

• Personal Data: The Act does not explicitly redefine personal information, instead it  references the GDPR (General Data Protection Regulation), which defines personal data as any information relating to an identified or identifiable natural person.
• Special categories of personal data: same meaning as the GDPR, namely “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.”
• AI System: “a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments”
• Biometric Data: “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, such as facial images or dactyloscopic data.”
• High-Risk AI Systems: AI systems that pose significant risks to the health, safety, or fundamental rights of individuals, such as AI systems used in critical infrastructure, education, employment, essential private and public services, law enforcement, and migration, asylum, and border control management.

Who does the EU Artificial Intelligence Act apply to?

The EU AI Act applies to:

• Providers: Any natural or legal person who develops an AI system or has an AI system developed and places it on the market under their name or trademark.
• Deployers: Any natural or legal person, including public authorities, using an AI system under their authority, except when used for personal non-professional activities.
• Users: Entities using AI systems, whether within the EU or those from third countries that produce outputs intended for use in the EU.

Who does the EU Artificial Intelligence Act exempt?

The Act does not apply to:

• AI systems used for military, defense, or national security purposes.
• AI systems developed and put into service solely for the purpose of scientific research and development, provided these systems are not placed on the market or put into service beyond research and development contexts.

What are the requirements for businesses under the EU Artificial Intelligence Act?

Businesses must:

• Ensure compliance with mandatory requirements for high-risk AI systems: This includes risk management systems, data and data governance, technical documentation, record-keeping, transparency and provision of information to users, human oversight, accuracy, robustness, and cybersecurity.
• Conduct conformity assessments: High-risk AI systems must undergo assessments to ensure they meet the requirements set out by the Act before they can be placed on the market or put into service.
• Maintain records and documentation: Businesses must keep detailed records of their AI systems' development, functioning, and compliance measures.
• Implement post-market monitoring: Businesses must monitor AI systems throughout their lifecycle to ensure continued compliance.

What are the consumer rights under the EU Artificial Intelligence Act?

Consumers have the right to:

• Transparency: Be informed when they are interacting with an AI system.
• Explanation: Understand how decisions that significantly affect them are made by high-risk AI systems.
• Protection: Have their health, safety, and fundamental rights protected against risks posed by AI systems.
• Redress: Seek compensation for damages caused by non-compliant AI systems.

How to respond to consumer requests under the EU Artificial Intelligence Act?

Businesses must:

• Provide clear and accessible information: Ensure that consumers can easily understand and access information about AI systems that affect them.
• Enable redress mechanisms: Set up processes to handle consumer complaints and requests for redress promptly and effectively.
• Comply with data protection regulations: Adhere to GDPR requirements for responding to requests related to personal data, including access, correction, and deletion.

EU Artificial Intelligence Act enforcement and penalties

The enforcement of the Act involves:

• National authorities: Each EU Member State will designate national authorities to supervise and enforce compliance with the Act.
• European Artificial Intelligence Board: This board will support national authorities, promote cooperation, and ensure consistent application of the Act across the EU.
• Penalties: Non-compliance with the Act can result in significant penalties, including fines. The severity of penalties depends on the nature of the violation, with more severe breaches, particularly those affecting fundamental rights, attracting higher fines. Specifically, fines vary between 7,500,000 EUR or 1% of the total worldwide annual turnover for the preceding financial year, whichever is greater, and 35,000,000 EUR or 7% of the total worldwide annual turnover for the preceding financial year, whichever is greater. 

Although the EU AI Act enforcement date is August 1, 2024, this means that on this day it becomes part of the EU’s legal system. Its actual implementation date is August 2, 2026 with the following exceptions: 

• Chapters I and II, containing general provisions and prohibited AI practices, shall apply as of February 2, 2025;
• Chapter III, Section 4 (Notifying authorities and notified bodies), Chapter V (General Purpose AI models), Chapter VII (Governance), Article 78, and Chapter XII (Penalties), except Article 101 (Fines for providers of general-purpose AI models), will apply as of August 2, 2025; and
• Article 6(1) and the corresponding obligations will be applicable as of August 2, 2027.