In a significant milestone for AI regulation, the European Parliament has officially endorsed the EU AI Act after nearly three years of deliberation. The Act, which was approved by a resounding vote of 523-46, sets forth a regulatory framework for artificial intelligence within the European Union.
The Act’s regulatory framework identifies 4 tiers of risk and related requirements for the development and operation of AI technologies, ensuring human oversight and data governance, and mandating technical documentation of AI systems for transparency and understanding. Specifically, the Act is designed to:
- address risks specifically created by AI applications;
- prohibit AI practices that pose unacceptable risks;
- determine a list of high-risk applications;
- set clear requirements for AI systems for high-risk applications;
- define specific obligations for deployers and providers of high-risk AI applications;
- require a conformity assessment before a given AI system is put into service or placed on the market;
- put enforcement in place after a given AI system is placed into the market; and
- establish a governance structure at the European and national level.
The Act will take effect 20 days after its publication in the Official Journal, with staggered deadlines for various requirements. Prohibitions on high-risk AI systems will take effect in stages over the next two years.
The impact of this passage will be felt globally, shaping how multinational companies manage data and navigate AI. Businesses that operate in the EU or that build AI systems that are used in the EU will fall under the Act’s purview, regardless of where they are based. Furthermore, just as GDPR has helped inform U.S. privacy laws, lawmakers will likely be looking to the Act as a model for governing artificial intelligence within our own borders.
The complex process of implementing the Act now begins, and will include further rulemaking, delegating, and other legal steps. Concerns and challenges persist among stakeholders, particularly regarding the use of biometric cameras. Some parties argue for stricter regulations to protect privacy rights, while others emphasize the need for flexibility to accommodate evolving AI capabilities.
Though the regulatory burden falls most heavily on “high risk” AI systems, any business that develops or deploys AI systems in the EU should familiarize themselves with the Act’s provisions. Working with experienced counsel can help you identify your role(s) within the AI ecosystem, determine the risk level applied, and assess compliance with the associated regulatory obligations.
A Partner at M&S, Josh advises clients on a range of proactive and responsive matters, helping them achieve their business goals while complying with federal and state privacy and other consumer protection laws.