The European Parliament voted on June 14, 2023 to adopt its position on the draft EU Artificial Intelligence Act (EU AI Act) that would impose a comprehensive regulatory regime on AI. More rules are expected to follow for companies based in the United States.
While artificial intelligence (AI) has been a topic du jour on both sides of the Atlantic, there have been some misconceptions about the technology and the relevance of existing law to AI systems. We have previously considered laws of the United States applicable to AI.
Similarly, certain laws in the European Union (EU) and European Economic Area (EEA) apply to AI, specifically the General Data Protection Regulation (GDPR), which includes provisions applicable to products and services using AI technologies such that companies must consider the GDPR when using AI systems to collect or process personal data of individuals located in the EU and EEA.
What’s more, some EU data protection authorities (DPAs) have interpreted the GDPR as applicable to certain AI systems and services, which interpretation has led to actions including, for example, a temporary ban of ChatGPT in Italy. We discuss below the applicability of existing EU laws to AI, the new EU AI Act, and the EU process remaining prior to the EU AI Act becoming effective.
Under the GDPR, all companies collecting or processing personal data of individuals located in the EU or EEA, including US-based companies, must consider the potential relevance of the GDPR when developing and using AI systems. The GDPR contains many principles and obligations that could already apply to generative AI or other AI tools to the extent that those technologies collect or process personal data of individuals located in the EU or EEA, including
We anticipate that DPAs throughout the EU will continue to interpret the GDPR as applicable to AI products and services despite efforts by the EU to adopt the new EU AI Act. As referenced above, some DPAs believe they should not wait for the AI Act to regulate generative AI.
The European Data Protection Board (EDPB) intends to coordinate the DPA approach and has established a task force to consider the privacy implications associated with ChatGPT that has not yet produced any tangible results. Although the EDPB has no legislative or administrative power to regulate generative AI, it will coordinate its further activities with the DPAs.
In addition to the applicability of the GDPR to AI products and services, the European Commission continues to address AI holistically. The European Parliament’s recent vote adopting the draft EU AI Act includes stricter requirements for generative AI services, such as ChatGPT. It also includes an expansion of the scope of what are considered “high-risk” scenarios.
The EU AI Act would require all users of “high-risk AI systems”—a term defined broadly in the EU AI Act—to perform a detailed “fundamental rights impact assessment,” similar to the data protection impact assessments required under the GDPR, that includes a “verification that the use of the system is compliant with relevant Union and national law on fundamental rights.”
The AI Act permits developers, service providers, and businesses to use “high-risk AI systems”; however, use of these systems will require compliance with various new regulations that, while yet to be promulgated, would mandate thorough testing, proper documentation of data quality, and an accountability framework that details human oversight of the relevant AI system. The AI Act would also require providers of “high-risk AI systems” to register their systems in an EU-wide database managed by the European Commission before offering or using such systems as well as abiding by other obligations imposed by the AI Act.
Additionally, the EU AI Act includes many detailed documentation requirements of significance applicable to AI systems’ developers, service providers, and businesses. For instance, with respect to generative AI, the EU AI Act includes a provision that a developer of a foundation model shall “demonstrate through appropriate design, testing and analysis the identification, the reduction and mitigation of reasonably foreseeable risks to health, safety, fundamental rights, the environment and democracy and the rule of law prior and throughout development with appropriate methods[.]”
There is the risk that the requirement imposed by the reference to “democracy and the rule of law” could be used to exclude certain AI system developers and service providers from the EU market.
There are some notable differences between the approaches of the EU, United Kingdom, and United States for addressing the development and use of AI services and products that all companies must consider. The EU AI Act, as currently drafted, includes a broad regulatory scope applicable to many types of AI systems and provides for adopting rules enforcing the EU’s principles. If the EU AI Act survives in its current form or close to it, the EU would adopt the strictest approach with respect to regulating AI systems of the three jurisdictions.
In contrast, the United Kingdom and United States, at present, are conducting further study into the issues, leveraging existing authorities, and providing nonbinding guidance on the development and use of AI products and services rather than moving to adopt a comprehensive regulatory regime. The EU AI Act would apply to developers, service providers, and businesses located outside the EU when using the output produced by AI systems in the EU, or when such systems collect or process personal data of individuals located in the EU or EEA.
Prior to becoming effective, the European Parliament and European Commission will work to reconcile the EU AI Act with the European Commission and the EU Council (representing the Member States) mediating any conflicts. Once reconciled, the provisional EU AI Act will return to the European Parliament to ratify the revised text of the act.
While it is difficult to predict how long this process will take, it is possible that a provisional EU AI Act could return to the European Parliament by December 2023. The effective date of the legislation is still subject to negotiations but will likely become law two years after the provisional EU AI Act is voted into law. Morgan Lewis continues to monitor closely all developments related to the EU AI Act.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following: