The European Union recently enacted its new artificial intelligence regulation, the (“EU AI Act”). The new law is expected to have a substantial impact on the AI industry, including on companies outside of the EU, much as the GDPR did.
Overall, the EU AU Act follows a risk-based approach and contains several categories of AI systems. High risk systems are subject to the most stringent requirements, while AI systems presenting less risk are subject to lighter regulation. But certain uses of AI systems are entirely prohibited. Additionally, special rules apply to general purpose AI systems and foundation models.
In this article we begin to examine the key elements of the EU AI Act. Due to the size and complexity of the EU AI Act, we will analyze it over the course of several installments.
Who it Applies To
The EU AI act applies to providers of AI systems or general-purpose AI models that are placed on the EU market, or are put into service or used in the EU. A “provider” is an organization that (i) develops an AI system or a general purpose AI model, and (ii) places the system or model on the market or puts the system into service under its own name. The EU AI Act applies to providers regardless of whether or not they charge a fee for the AI system. As with the GDPR, the EU AI Act is “extraterritorial” – that is, it applies even if the organization is established in a third country. And it applies to providers’ authorized representatives that are outside the EU.
The EU AI Act also applies to organization located in the EU that use an AI system (“deployers”).
Additionally, it applies to providers and deployers of AI systems if they are located outside the EU if the output produced by the AI system is used in the EU. This aspect has raised some concerns in connection with generative AI systems. If an AI system created by a U.S.-based provider creates content for a U.S.-based customer that is posted online and accessed in the EU, it could make the provider subject to EU AI Act.
Finally, the EU AI Act applies to importers and distributors of AI systems and product manufacturers placing on the market or putting into service an AI system as part of their products.
Prohibited AI Systems
The EU AI Act bans the use of AI systems for certain things, including (i) subliminal, manipulative or deceptive techniques by materially distorting a person’s behavior by appreciably impairing the person’s ability to make an informed decision; (ii) biometric categorization that uses certain sensitive characteristics such as race, political opinions, trade union membership, religious or philosophical beliefs, sex life or sexual orientation; (iii) social credit systems; (iv) untargeted scraping of facial images from the Internet or CCTV systems for facial recognition; and (v) emotion-recognition systems for use at work and in education.
In our next article, we will look at the next risk category, high-risk AI systems.
