Introduction
Impact and actions
In late April 2021, the EU Commission set out its proposal for a regulation on a European approach to artificial intelligence (AI). The 108-page proposal sets out harmonised rules for the development, placement on the market and use of AI systems in the European Union following a proportionate risk-based approach.
EU member states are required to lay down rules regarding penalties for any infringement of the regulation, with fines of up to €30 million or 6% of worldwide annual turnover for certain offences, including engaging in a prohibited AI practice. The proposed regulation imposes obligations in relation to reporting serious incidents and the malfunctioning of AI systems, which constitutes a breach of obligations under EU law.
The regulation has significant implications for industries across numerous sectors globally – especially given the present emphasis by businesses on digitalisation and personalisation – as well as on the broad definition of "AI systems". The regulation also applies, in different ways and with differing obligations, to developers, distributors and AI-system users.
The regulation proposes harmonised rules for:
- placing on the market, putting into service and using AI systems in the European Union;
- prohibiting certain AI practices;
- setting out specific requirements for high-risk AI systems and obligations for the operators of those systems;
- transparency and obligations for AI systems intended to interact with natural persons, emotion-recognition systems and biometric categorisation systems, as well as AI systems used to generate or manipulate image, audio or video content; and
- market monitoring and surveillance.
The definition of AI systems is wide-reaching and applies to AI and certain other technology.
The regulation is designed to apply to AI systems operated and used in the European Union, but it also has extra-territorial reach. Although it is an EU regulation, the legislation will be relevant to suppliers and manufacturers of AI systems based outside the European Union, as its scope extends to providers placing AI systems on the EU market or putting AI systems into service in the European Union, regardless of where they are based, as well as to providers and users of AI systems located outside the European Union where the output produced by the system is used inside the European Union. A provider established outside the European Union will (unless it has an importer) be required to appoint an EU-based authorised representative for the purpose of the regulation. As with the EU General Data Protection Regulation, it is expected to have a wide-reaching effect on shaping the legislative landscape for AI globally and, to some extent, it is also expected to shape how customers adopt AI and how suppliers shape their AI products and services in a legally compliant manner regarding design, sales, licensing and ethical AI solutions, regardless of location.
High-risk AI systems must comply with a set of horizontal mandatory requirements for trustworthy AI and follow conformity-assessment procedures before those systems can be placed on the EU market.
Predictable, proportionate and clear obligations are also placed on providers and users of AI systems to ensure safety and maintain respect for existing legislation protecting fundamental rights throughout the whole AI system lifecycle. This includes obligations in relation to the use of data and information to be provided to end-users in certain situations.
Companies located in the European Union and those that sell or license into the European Union should be cognisant of the proposed regulation when shaping their AI solutions for customers and adopting and embedding AI in their businesses. AI users will also need to engage with the regulation to ensure legal compliance.
If companies are developing AI systems, placing them onto the market or embedding them into businesses, now is the time to grapple with the implications of the proposed regulation and other relevant legislation in this area in line with procurement and sales models, customers, legal templates and business training.
At a national level, EU member states will have to designate one or multiple national competent authorities and, among them, the national supervisory authority, for the purpose of supervising the application and implementation of the regulation. The European Data Protection Supervisor will act as the competent authority for the supervision of EU institutions, agencies and bodies when they fall within the scope of the regulation.
The regulation will apply two years following its entry into force, which will be on the 20th day following its publication in the Official Journal of the European Union, although certain sections may come into force earlier.
For further information on this topic please contact Charlotte Walker-Osborn at Eversheds Sutherland by telephone (+44 20 7919 4500) or email ([email protected]om). The Eversheds Sutherland website can be accessed at www.eversheds-sutherland.com.