A Milestone in AI Regulation – EU AI Act Approved By European Parliament

On March 13, 2024, the European Parliament approved the Artificial Intelligence Act (the Act), positioning the EU to have the world’s first binding comprehensive law on artificial intelligence (AI).

The Act will apply to providers of AI systems that are in the EU market, irrespective of whether the providers themselves are located in the EU; deployers of AI systems located in the EU; and providers and deployers of AI systems where the output produced is used in the EU. The Act establishes obligations for different types of AI systems based on the potential risks and impact on individuals and the public.

As part of this framework, the Act identifies prohibited AI practices that pose too great a risk to the fundamental rights of EU citizens. Notably, these prohibited AI practices include:

1. AI systems that use subliminal techniques beyond a person’s consciousness (thereby limiting their free will);
2. AI systems that exploit the vulnerabilities of persons due to their age, disability, or specific social or economic situation;
3. the use of AI systems for predictive policing or for the untargeted scraping of facial images from the internet or CCTV;
4. the use of biometric categorization systems that categorize individuals based on sensitive characteristics; and
5. the use of “real time” remote biometric identification systems in publicly accessible spaces for the purposes of law enforcement (though there is a narrow list of exceptions, such as searching for specific victims of abduction and preventing terrorist attacks).

Other AI systems, though not prohibited, are classified as “high-risk” under the Act. High-risk AI systems exist in two categories: (i) AI systems that will be used as regulated products under the Act or as safety components in regulated products; and (ii) AI systems used in areas listed in Annex III of the Act (e.g., critical infrastructure, educational and vocational training, and employment). Requirements for high-risk AI systems include the establishment and implementation of a risk management system, maintaining use logs, and ensuring human oversight.

The Act also addresses general-purpose AI models (GPAI), which are a type of AI model that displays “…significant generality and is capable of competently performing a wide range of distinct tasks regardless of the way the model is placed on the market and that can be integrated into a variety of downstream systems or applications…”. Providers of GPAI models will be required to meet transparency requirements and comply with EU copyright law, among other obligations.

The text of the Act still needs to be formally endorsed by the European Council and given a final linguistic review. Once approved, the Act’s provisions will gradually apply with most obligations fully implemented 24 months after its entry into force.

Summary By: Claire Bettio