The World's First Artificial Intelligence (AI) Act Adopted by the European Union Parliament

IT (Information Technology) Law

On 13rd March 2024, European Union (“EU”) Parliament (“Parliament”) approved the Artificial Intelligence Act (“AI Act” or “Act”), agreed in negotiations with member states in December 2023, with 523 votes in favor, 46 against and 49 abstentions.

The aim of the Act is to improve the functioning of the internal market, in particular by establishing a uniform legal framework for the development, placing on the market, commissioning and use of AI, in accordance with EU values, and to promote the adoption of human-centered and trustworthy AI and support innovation, while ensuring a high level of protection of fundamental rights enshrined in the Charter of Fundamental Rights of the European Union ("Charter"), including health, safety, democracy, the rule of law and environmental protection, against the harmful effects of AI systems.

  • In Particular, the Act Regulates the Following Issues:
  • Security measures on general-purpose artificial intelligence
  • Limitations on the use of biometric identification systems by law enforcement agencies
  • Bans on social scoring and AI used to manipulate or exploit user vulnerabilities
  • Consumers' right to lodge complaints and receive meaningful explanations
  • Fines ranging from €35 million or 7% of global turnover to €7.5 million or 1.5% of turnover

 

  • What Are the Risks Specified in the Act in Relation to Artificial Intelligence?
  • The Act states that while artificial intelligence (AI) brings many conveniences for citizens, Business and the Public interest, it also creates many risks for the safety of consumers and users or fundamental rights.
  • Accordingly, AI regulation, following a risk-based approach, distinguishes between the following risk-creating uses of AI and categorizes them into three classifications:

 

  1. Unacceptable risk: AI systems that pose a threat to human rights will be prohibited. This category includes, for example, social scoring, systems that discriminate based on sensitive characteristics such as race, religion or gender.
  2. High risk: Permitted subject to compliance with AI requirements and ex-ante conformity assessment.

This category includes, for example, systems used in sectors such as health, security, recruitment and medical devices.

  1. Low or minimal risk: Systems that pose less risk to human rights and security will be subject to more flexible rules.

This category includes, for example, chatbots, artificial intelligence-based video games, spam filters, inventory management systems, customer and market segmentation systems that consumers or internet users can interact with.

 

  • Who Are the Parties Primarily Affected by the Act?

AI law will primarily apply to providers of AI systems based in the EU or in a third country that places AI systems on the EU market or makes them available in the EU, and to users/distributors of AI systems based in the EU.

 

  • Prohibited Applications in the Act
  • Recognizing the potential threat of certain applications of AI to citizens' rights and democracy, co-legislators have adopted the following prohibitions on personal data, in particular,
  • biometric categorization systems that use sensitive characteristics (e.g. political, religious, philosophical beliefs, sexual orientation, race),
  • non-targeted scraping of facial images from the internet or CCTV footage to create facial recognition databases,
  • emotion recognition in the workplace and educational institutions,
  • social scoring based on social behavior or personal characteristics,
  • AI systems that manipulate human behavior to thwart their free will,
  • AI used to exploit people's weaknesses (due to their age, disability, social or economic status).

 

  • Measures Planned to be Taken

For high-impact general-purpose AI (“GPAI”) models that carry systemic risk, the Parliament negotiators succeeded in introducing more stringent obligations. If they meet certain criteria, they will be required to conduct model assessments, assess and mitigate systemic risks, conduct adversarial testing, report to the Commission on serious incidents, ensure their cybersecurity and report on their energy efficiency. MEPs also insisted that until harmonized EU standards are published, GPAIs with systemic risk can rely on codes of practice to comply with the regulation.

  • Some of the Innovations Introduced by the Act for Artificial Intelligence Systems Used against Public Interest

 

  • Obtaining facial images from the internet or from CCTV footage will be banned, as will biometric classification in workplaces and educational institutions to extract sensitive data such as emotion recognition, social scoring, sexual orientation or religious beliefs.
  • Law enforcement will be able to use AI in some cases. Law enforcement agencies will be able to use real-time remote biometric identification systems in public places with legal authorization in exceptional cases, such as to prevent terrorist attacks or to identify missing persons.
  • AI-modified audio or video content will need to be explicitly labeled.

 

  • Measures to Support Innovation and SMEs (Title 5)

Regulatory sandboxes and real-world testing at the national level will need to be created and made accessible to SMEs and start-ups to develop and train innovative AI before it is brought to market. (Article 53, 54 and 55)

 

  • Effective Date of the Act

 

  • The Statute is still subject to a final legal-linguistic check and is expected to be finally adopted before the end of the legislature (through the so-called correction procedure). The law must also be formally approved by the Council.
  • It will enter into force twenty days after its publication in the Official Journal and will be fully applicable 24 months after entry into force, except for the prohibitions on prohibited practices, which will apply six months after entry into force; codes of practice (nine months after entry into force); general purpose AI rules, including governance (12 months after entry into force); and obligations for high-risk systems (36 months).
  • Ultimately, the law is scheduled to come into force in 2025 after a vote in 2024.

 

 

  1. The announcement on the Act is available here.
  2. You can reach the Full Final Draft of the Act in a PDF by here.
  3. You can reach the EU Summary Presentation on the Act in a PDF by here.

 

Kind regards,

Zumbul Attorneys-At-Law

info@zumbul.av.tr