THE FUTURE OF AI REGULATION IN EUROPE AND ITS GLOBAL IMPACT - Clifford Chance
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
THE FUTURE OF AI
REGULATION IN
EUROPE AND ITS
GLOBAL IMPACT
MAY 2021
THE FUTURE OF AI REGULATION IN
EUROPE AND ITS GLOBAL IMPACT
On 21 April 2021, the European Commission finally released the
long-awaited proposal for a Regulation on AI (AI Act), a
cornerstone of its AI package. With the AI Act, the EU is
confirming its role and ambition as a pioneer in the regulation of
tech. We consider what this means for businesses, and also offer
perspectives from around the world.
At a glance
Key takeaways of the The AI Act is the first of its kind, setting out harmonised rules for
proposed AI Act AI systems in the EU. It attempts to strike a difficult balance
• The first-ever harmonised legal between two key objectives: promoting innovation and
framework on AI harnessing the benefits of AI, on the one hand; and addressing
• Far-reaching rules with an ambition key risks and fears AI gives rise to, on the other. In so doing,
to set global standards
it seeks to address some of the main concerns levelled at a
• A risk-based approach around four general, horizontal framework, favouring a risk-based approach
risk categories
and taking account of specific sectoral issues.
• A ban on particularly
harmful practices creating Whilst largely focusing on high-risk AI of European rules in the tech sector, and
unacceptable risks systems, it also bans some particularly the effects will be felt for years to come.
harmful practices, and provides specific
• A set of essential requirements and
obligations for high-risk AI, with a
requirements for other systems deemed What is AI?
to present more limited risks but
special focus on data and data sets There is no universally accepted definition
nonetheless requiring increased
of AI.
• Specific transparency rules for transparency. It also encourages
specific AI systems voluntary compliance, beyond
Like the European Commission's White
high-risk AI.
• Specific mechanisms to address Paper on AI, the AI Act recognises the
sectoral concerns need for a 'future-proof' definition: one
It provides for strong governance
that strikes the right balance between
• Fines of up to 6% of total global and enforcement mechanisms,
flexibility, to be able to account for the
annual turnover including the creation of a European
ever-accelerating pace of technological
Artificial Intelligence Board and
• A possible entry into force in the progress, and a definition that is
significant sanctions.
second half of 2022, with full sufficiently precise to provide the
application at the earliest in the necessary legal certainty. Beyond, it aims
At this stage, it is only a proposal and
second half of 2024 to keep the definition 'technology neutral',
there is a long road ahead. Yet the AI Act
and it focuses not on AI as such, but on
• A new public consultation to represents a revolution in the field of AI,
AI systems.
stay involved and a landmark in defining a harmonised
regulatory framework for the EU with the
• One key milestone in a wider AI and The AI Act contains a quite simple – and
potential for setting global standards.
digital strategy for Europe pretty broad – definition of an AI system
(or artificial intelligence system), focusing
The AI Act is a critical part of a wider and
Perspectives from around on software and the approaches and
very ambitious strategy in Europe on AI,
techniques used to develop that software.
the world and on tech more generally. Proposals for
It also contains a mechanism for the
• United Kingdom further legislation are expected in the
Commission to update the list in light of
months to come, and other key texts in
• United States market and technological developments.
the tech space are already being
• Asia Pacific discussed in the Parliament and Council.
More specifically, an AI system is defined
They include the proposals for a Digital
as "software that is developed with one
Markets Act and a Digital Services Act as
or more of the techniques and
well as for a Data Governance Act.
approaches listed in Annex I and can, for
All are game-changers. And when viewed
a given set of human-defined objectives,
together, this is the biggest shake-up ever
2 CLIFFORD CHANCE
THE FUTURE OF AI REGULATION IN EUROPE
AND ITS GLOBAL IMPACT
generate outputs such as content, Covering the entire AI
predictions, recommendations, or
value chain
decisions influencing the environments
they interact with". The list of techniques Although the focus is on the provider and
and approaches includes machine- the user of the AI system, there are
learning approaches, logic and obligations for parties involved across the This proposed EU AI
knowledge-based approaches as well as entire AI value chain, from providers, regulation is a world first,
manufacturers and authorised
statistical approaches.
representatives to importers and
and is likely to be a game-
As those who saw the previous leaked distributors through to users – and changer. Global
draft of the Regulation may note, the relevant third parties. organisations will be
definition has been scaled back. Notably,
concerned about the
there is no longer any reference to Most are defined. This is the case for the
automation within the definition itself. provider – the person that develops or
worldwide reach of
has developed an AI system with a view these rules.
GDPR-style extraterritorial to placing it on the market or putting it
scope? into service under its own name or
trademark. It is also the case of the
The rules set out in the AI Act are not
authorised representative, importer,
limited to EU-based operators. Far from
distributor and user. Regarding users, use
it. Purportedly to ensure effective
in the course of a personal non- —DESSI SAVOVA
protection of citizens in the EU, the new
professional activity is expressly excluded. Partner, Commercial & Tech
rules have far-reaching effects, and would
basically apply where an AI system is
On the other hand, the notion of third
placed on the EU market, or its use
party does not appear to have been
affects people located in the EU.
defined, leaving this open to
interpretation. Nevertheless, the recitals
More specifically, the AI Act applies to:
shed some light on this notion. It would
for instance seem aimed at covering third
• Providers placing or putting AI systems
parties involved in the sale and supply of
into service on the EU market,
software or pre-trained models and data,
regardless of where they are
and network services providers.
established;
• Users of AI systems located in the The AI Act includes specific measures,
EU; and and relaxes certain requirements, for
'small-scale providers' and start-ups.
• Non-EU providers and users of AI
systems, where the output produced
by the AI system is used in the EU. Categories of AI systems
The third limb ensures a very broad Unacceptable risk
Prohibited practices
scope for the new rules and is likely to be
a source of questions.
High risk
Specific requirements
There would also be the need for and obligations
providers outside the EU to designate an
authorised representative in the EU, when Limited risk
Specific transparency
an importer cannot be identified. requirements
The new rules would in principle apply to
public authorities, agencies and bodies, Minimal risk
No specific
including Union institutions, agencies and requirements
bodies subject to specific rules, including
different fines. However, there is a specific
exclusion for public authorities in third The European Commission's risk-based
countries or international organisations approach is structured around four
using AI systems in the framework of categories of AI systems. Three of the
international agreements for law four are regulated under the AI Act.
enforcement and judicial co-operation.
CLIFFORD CHANCE 3
THE FUTURE OF AI REGULATION IN EUROPE
AND ITS GLOBAL IMPACT
The fourth, dubbed 'minimal risk' and The central notion of
which would include such things as
high-risk AI
AI-enabled video games or spam filters,
is apparently not. According to the The main focus is on this category of AI
European Commission, this category systems, the second from the top in the
would in fact cover the great majority of risk pyramid. The AI Act expressly
AI systems. identifies the types of AI systems that are
considered high-risk.
That said, the AI Act generally also
encourages the voluntary application of The first category comprises AI systems
its rules to AI systems other than to be used as safety components of
high-risk systems. some (or that themselves are) products
covered by Old Approach Sectoral
Legislation or NLF Sectoral Legislation
A ban on unacceptable AI (for instance, in the aviation, automotive
practices? or healthcare sectors) identified in the AI
As part of its risk-based approach, the AI Act, where such products (or the AI
Act prohibits certain practices as a matter system itself if it is the product) are
of principle, or authorises them subject to subject to a third-party conformity
specific conditions. These are practices assessment under that legislation.
deemed to create unacceptable risks,
contravening core Union values. The second category relates to 'stand-
They include: alone' AI systems. For example, it
includes AI systems intended to be
• Manipulative AI practices: used for:
AI systems deploying subliminal
techniques that are beyond a person's • 'Real-time' and 'post' remote biometric
consciousness or exploiting identification of natural persons (e.g.,
vulnerabilities of a specific group of facial recognition). More generally, and
persons, in each case to materially given the risks, remote biometric
distort a person's behaviour in a identification systems are subject to
manner likely to cause physical or specific and stricter requirements;
psychological harm;
• Determining access to education or
• Social scoring by public authorities assessing students in educational and
in certain circumstances where it leads vocational training institutions;
to detrimental or unfavourable
• Recruitment or selection purposes,
treatment; or
e.g., for filtering applications or
• The use of 'real-time' remote evaluating candidates, or for making
biometric identification systems in decisions in terms of promotion or
publicly accessible spaces for law termination of work relationships. This
enforcement, except in circumstances is a topic that is also relevant for
tied to specific use cases (such as the companies that are active in the 'gig'
targeted search for potential victims economy. There is an ongoing debate
including missing children and the about the role and impact of
prevention of terrorist attacks) and technology towards employees
subject to specific conditions. Notably, compared with its effects on self-
each individual use would require a employed people and people providing
prior authorisation. services through platforms;
There are questions on the effectiveness • Evaluating eligibility to, granting,
of these restrictions, given their limited reducing, revoking or reclaiming public
nature and applicable conditions assistance benefits and services;
and exceptions.
• Evaluating natural persons'
creditworthiness or establishing their
These provisions also need to be
credit score.
considered in light of other legislation,
including the GDPR and its provisions on It also includes AI systems intended to be
automated processing / profiling. used as safety components for the
4 CLIFFORD CHANCE
THE FUTURE OF AI REGULATION IN EUROPE
AND ITS GLOBAL IMPACT
management and operation of certain The AI Act allows providers to process
critical infrastructure, i.e. road traffic 'special categories of data' as referred
and the supply of water, gas, heating to in the GDPR and other related EU
and electricity. legislation. This refers to particularly
sensitive data such as personal data
High-risk AI: Looking revealing racial or ethnic origin, political
opinions, religious or philosophical
to the future
beliefs, or trade union membership, and
To be able to address future genetic data or data concerning health.
developments, there is a procedure to And its processing is generally
update the list of high-risk AI systems. prohibited except in very limited
circumstances. Here, the processing is
The first key condition to be able to add authorised to the extent strictly
an AI system to the existing list is that it necessary for bias monitoring,
comes within one of the eight areas that detection and correction, and is subject
are expressly identified. The second is to appropriate safeguards.
that it represents a risk of harm to health
and safety or adverse impact on Interestingly, the data and data
fundamental rights that is equivalent to or governance requirements themselves
greater than the risk posed by the do not appear to include an explicit
systems that are already listed. The text requirement that the data sets not
proceeds to identify criteria to be incorporate biases, or to actually
taken into consideration by the correct biases. The position differs from
European Commission. what was envisaged in the previous
(leaked) draft. It notably contained a
Specific rules for requirement for high quality data sets to
ensure that the AI system "does not
high-risk AI incorporate any intentional or
Specific requirements apply to high-risk unintentional biases, which may
AI systems: become the source of discriminatory
• Risk management system: a risk impacts prohibited by Union and
Member State law once the high-risk For the first time, the
management system must be
established and maintained, and it AI system is used according to its proposed EU AI rules
must consist of a process requiring intended purpose". explicitly require human
regular, systematic updating. Key steps • Documentary requirements and oversight for high-risk AI
would include identification and analysis record-keeping: this notably covers systems. That will require
of risks and adoption of suitable risk the technical documentation to be
management measures. In companies working with
established, maintained and updated,
implementing the risk management logging capabilities and traceability. high-risk AI to implement
system, specific consideration must On logging capabilities, additional appropriate measures to
be given to the potential impact requirements are included for ensure that people prevent
on children. systems intended to be used for
or minimise potential risks.
• Data and data governance: these biometric identification.
Organisations will have to
aspects appear key and have received • Transparency and provision of
special treatment, being subject to the information to users: high-risk AI
provide for a 'kill switch'
highest level of fines. Requirements are systems must be accompanied by to instantly interrupt
included on the training of models with instructions for use, containing high-risk AI.
data and data sets, including to ensure "concise, complete, correct and clear
the quality of data sets and address information that is relevant, accessible
possible biases. The data sets must be and comprehensible". The information
relevant, representative, free of errors must include the capabilities and
and complete. One question here is to limitations of performance of the AI
what extent it is feasible, in practice, to system, changes that have been —THOMAS VOLAND
have fully error-free data sets. pre-determined, expected lifetime, Partner, Corporate
CLIFFORD CHANCE 5
THE FUTURE OF AI REGULATION IN EUROPE
AND ITS GLOBAL IMPACT
and necessary maintenance and care Dedicated guidance to facilitate providers'
measures. The information is all the compliance with the obligations to report
more important as users have a duty serious incidents or malfunctioning is to
to use the system in accordance with be issued within 12 months following the
the instructions. entry into force of the AI Act.
• Human oversight: the regulation
Other 'operators'
proposes explicit human oversight. As
Specific obligations are set out for other
a starting point, high-risk AI systems
operators and actors, including importers
must be designed and developed in a
and distributors. For their part, users for
manner enabling effective human
instance must use the AI system in
oversight. Two main types of measures
accordance with the instructions. In
are identified: those 'by design', in that
addition, if the user controls the 'input
they are built into the systems; and
data', it must ensure that data is relevant
those that are identified by the provider
in view of the intended purpose.
and suitable for implementation by the
user. Measures are aimed at enabling
Allocation of roles and
the person exercising the oversight to
responsibilities – flow-down
for instance, and as appropriate,
monitor the system's operation, Beyond defining specific obligations for
interpret its output and intervene or each category of actor, the AI Act clarifies
even interrupt its operation. There are in what circumstances the manufacturer
specific measures for AI systems to be of the product takes responsibility for
used for biometric identification. compliance of the AI system, when an
authorised representative must be
• Accuracy, robustness and cyber appointed by the provider and when
security: requirements include other actors of the AI value chain,
resilience to errors, faults or including third parties, are to be
inconsistencies and to attempts by considered as provider. This is the case,
unauthorised third parties to alter use for instance, where they put a high-risk AI
or performance by exploiting system system on the EU market under their
vulnerabilities. Provisions are included name, or where they modify the intended
to address the specific issues of bias purpose or make a substantial
and 'feedback loops', as well as modification. This means that white-
'data poisoning'. labelling arrangements and any bespoke
'off the shelf' systems will need to be
Specific obligations for carefully assessed and monitored.
operators of high-risk AI
The AI Act also seeks to ensure that
and other related parties actors throughout the chain take
The provider responsibility. For instance, the importer
First and foremost, the AI Act sets out is required to ensure the appropriate
obligations for the provider. They include conformity assessment has been carried
responsibility for ensuring that the high- out by the provider and the appropriate
risk AI system complies with the technical documentation has been drawn
requirements above and undergoes the up. The distributor must ensure that the
relevant conformity assessment provider and the importer have complied
procedure, drawing up the EU declaration with applicable obligations. The importer
of conformity and affixing the CE marking. and the distributor are required to not
The provider is also responsible for having place a high-risk AI system on the market
a post-market monitoring system in where they consider that it does not
place, and for taking necessary corrective comply with certain requirements. Both
actions and informing relevant authorities must also ensure that while a high-risk AI
in the event of non-compliance. system is under their responsibility,
storage or transport conditions do not
6 CLIFFORD CHANCE
THE FUTURE OF AI REGULATION IN EUROPE
AND ITS GLOBAL IMPACT
jeopardise its compliance. Users likewise allow market surveillance authorities to
have monitoring obligations and a duty to authorise, on a temporary basis and
inform the provider or distributor when subject to conditions, the placing on the
they have reasons to consider that use in market or putting into service of specific
accordance with the instructions may high-risk AI systems "for exceptional
result in the AI system presenting certain reasons of public security or the
risks or when they identify a serious protection of life and health of persons,
incident or malfunctioning. environmental protection and the
protection of key industrial and
Key questions will also arise regarding the infrastructural assets".
contractual framing of the parties'
respective roles and responsibilities, The registration of
including related warranties, liability and
high-risk AI systems
indemnities. The scope and effect of
these provisions may also depend on The AI Act provides for the creation of an
specific rules that may be developed EU database for 'stand-alone' high-risk AI
regarding the liability regime for (certain) systems (in principle, not those covered
AI systems. by certain specific sectoral legislation
referred to in the AI Act).
Conformity assessments Providers of those high-risk AI systems
for high-risk AI would be required to register them in the
A key requirement for high-risk AI database with a pre-defined list of
systems is that they be subject to a information, e.g.: identification of the
conformity assessment prior to placing on provider and of the AI system, description
the market or putting into service. of the intended purpose of the AI system,
copy of the certificate issued by the
As a general rule, and putting aside high- relevant notified body (if applicable), copy
risk AI systems to which the NLF Sectoral of the declaration of conformity and
Legislation applies or those put on the electronic instructions for use. The
market or into service by credit information in the database would be
institutions and to which specific publicly accessible, and the Commission
regulations apply (see below), the AI Act would be the controller of the database.
appears to favour conformity
assessments carried out by the provider Specific transparency for
under its own responsibility. A notable
'limited risk' AI
exception relates to the conformity
assessment of AI systems intended to be Certain AI systems are subject to specific
used for the remote biometric transparency obligations.
identification of natural persons, where
specific rules apply. One key ethical concern often raised in
relation to AI is the need to ensure that
The conformity assessment procedures people are aware when interacting with
include specific provisions regarding the an AI system. Each of the 2019 Ethics
need to carry out new assessments each Guidelines for Trustworthy AI, the 2020
time the high-risk AI system is Assessment List for Trustworthy Artificial
substantially modified. One specificity, in Intelligence (ALTAI) for self-assessment
the context of AI, relates to systems that and the European Parliament's 2020
continue to learn. On this, it seems that resolution on a framework for ethical
changes to the high-risk AI system and aspects of AI touches on this question.
its performance that have been pre- The AI Act follows suit. It requires
determined by the provider at the time providers to ensure that systems are
of the initial conformity assessment would designed and developed in such a
in principle not be considered as manner that individuals are informed
substantial modifications. when they are interacting with an AI
system (e.g., a chatbot), unless this
There are specific derogations from the is obvious.
conformity assessment procedure. They
CLIFFORD CHANCE 7
THE FUTURE OF AI REGULATION IN EUROPE
AND ITS GLOBAL IMPACT
The AI Act also imposes additional under that legislation. Accordingly, whilst
information obligations on users. This is the AI Act would be of very limited direct
the case in relation to 'deep fake' application, it would make its way into the
content, where users must reveal that the Old Approach Sectoral Legislation.
content has been artificially generated /
manipulated. Likewise, where natural Avoiding additional burden for
persons are exposed to emotion other AI systems?
recognition or biometric categorisation The AI Act addresses questions of
systems, they must be informed of the interplay with other listed sectoral
operation of the system. legislation, i.e. 'Union-harmonised
legislation based on the New Legislative
There are exceptions however, in Framework' (NLF Sectoral Legislation).
particular for certain AI systems This covers, amongst other things,
authorised by law for the purposes medical devices, toys, lifts and radio
of crime detection, prevention equipment, as well as machinery for
and/or prosecution. which a Proposal for a Regulation was
also announced on 21 April 2021.
An excluded, limited or For instance, and to avoid duplications
The interplay with and additional burden, the conformity
partial application to
other regimes assessment procedure required under
certain AI systems that specific sectoral legislation would in
• Sectoral issues: The AI Act seeks
to address certain specific sectoral No application to military-purpose principle be followed. The key
issues and concerns, including in systems requirements for high-risk AI under the AI
light of existing legislation. The AI Act does not apply to AI systems Act would apply and be part of the
that are developed or used exclusively for assessment, and certain other conformity
• Interplay with other laws more
military purposes. assessment aspects under the AI Act
generally: The AI Act needs to be
would also apply. Likewise, a single set of
considered in conjunction with other A very limited application to certain technical documentation would be drawn
laws. It cannot be perceived in types of AI systems up, containing the information set out in
isolation. For example, the AI Act
Importantly, the AI Act seeks to address the AI Act and the information required
recognises that classifying and
the question of the interplay with existing under the specific sectoral legislation.
regulating an AI system as high-risk
sectoral legislation.
does not mean that it is necessarily
In addition, there are specificities
lawful under other EU law or
For some AI systems, the AI Act would throughout the AI Act regarding
national law. That means, for
be of very limited application, at least requirements for credit / financial
instance, that compliance with
direct application. This is the case of institutions in light of existing legislation,
rules like the GDPR will need to
high-risk AI systems that are safety e.g., in relation to conformity
continue and be interpreted
components of (or that themselves are) assessments, monitoring and the
alongside these rules.
products or systems covered by specific notification of serious incidents. This will
listed sectoral legislation in the fields of not be relevant for all financial institutions,
civil aviation, motor vehicles, two- or but those that are within scope will begin
three-wheel vehicles and quadricycles, considering the interplay between their
agricultural and forestry vehicles, rail CRD IV governance frameworks and the
systems and marine equipment (referred AI Act, particularly as this is an area that
to in this note as Old Approach Sectoral such firms will want to ensure makes its
Legislation). More specifically, only the way into the final versions of the
provisions of the AI Act related to its Regulation. Whether these proposed
evaluation and review process (Article 84) limited derogations survive to the final
are said to apply. There is uncertainty on proposal – and the extent of them –
what exactly this means. remains to be seen. However, this will be
an area for relevant firms to monitor and
On the other hand, through other consider how their existing CRD
provisions the AI Act expressly amends compliance efforts will synchronise with
the Old Approach Sectoral Legislation, to the scope and requirements of the
ensure that key requirements for high-risk new rules.
AI systems set out in the AI Act shall be
"taken into account" when adopting
relevant delegated or implementing acts
(or other relevant measures / documents)
8 CLIFFORD CHANCE
THE FUTURE OF AI REGULATION IN EUROPE
AND ITS GLOBAL IMPACT
Specific time frame for certain Also, the AI Act enables the processing,
large-scale IT systems for the purposes of developing and
There are specific provisions regarding testing AI systems in the sandboxes, of
the application of the AI Act to AI systems personal data collected for other
that are components of certain large- processes. However, there are conditions
scale IT systems in the area of freedom, attached. Moreover, this is said to be This is not the end game.
security and justice (e.g., Schengen without prejudice to EU or national For anyone wanting to
Information System, Visa Information legislation that excludes processing for influence Europe's direction
System, Eurodac). In principle, the AI Act purposes other than those explicitly set
out in that legislation. It is uncertain, for
of travel on AI, the hard work
would not apply to those systems where
placed on the market or put into service instance, how exactly the option under starts now. The European
before the date that falls 12 months after the AI Act relates to and interacts with the Parliament and Member
the date of full application of the AI Act. restrictions in the GDPR on purpose States will spend the next 18
However, there are exceptions. limitation.
months to two years
Post-market monitoring, debating the proposal. They
Governance – the creation
sharing of information on could make significant
of a European Artificial
incidents and market changes before they finally
Intelligence Board
surveillance adopt the new Regulation.
The harmonised implementation of the AI
Act would be ensured at the EU level by The AI Act contains detailed provisions to
a newly established European Artificial address the post-market environment.
Intelligence Board. This would be Providers of high-risk AI systems are,
comprised of the national supervisory for example, required to have a post-
authorities and the European Data market monitoring system, itself based —GAIL ORTON
Protection Supervisor, and be chaired by on a post-market monitoring plan. The Head of EU Public Policy
the Commission. It would notably provide Commission is expected to adopt an
advice and assistance to the implementing act to detail what that plan
Commission, including issuing opinions is to look like.
and recommendations on technical
specifications and issues of Providers of high-risk AI systems must
standardisation and the preparation of report serious incidents and malfunctions
guidance documents. to competent market surveillance
authorities against aggressive timelines –
The AI Act also details the role and and no more than 15 days from having
powers of different national authorities, become aware of them. Here too,
including national competent additional guidance is to be developed
authorities, notifying authorities, national by the Commission, and issued within
supervisory authorities and market 12 months of the entry into force of
surveillance authorities. the Regulation.
Sandboxes Provisions on enforcement and market
Proposed measures in support of surveillance also include specific
innovation include regulatory sandboxes, procedures where a Member State
under the direct supervision of competent determines that, although an AI system is
authorities, to facilitate the development, compliant with applicable requirements, it
testing and validation of AI systems. poses a risk in terms of health and safety,
Modalities and conditions of operation are protection of fundamental rights or other
to be set out in implementing acts. There public interest protection.
are specific measures aimed at helping
small-scale providers and start-ups,
including giving them priority access if
they satisfy eligibility conditions.
CLIFFORD CHANCE 9
THE FUTURE OF AI REGULATION IN EUROPE
AND ITS GLOBAL IMPACT
Sanctions – GDPR or The road ahead – the
antitrust-like fines beginning of the process
Very significant fines are contemplated to It is early days for the AI Act and there is
ensure effective implementation. a long road ahead before it becomes EU
law. The AI Act will now be passed to the
For the most serious non-compliances, European Parliament and Council of the
administrative fines can reach the higher EU for adoption under the ordinary
of EUR 30,000,000 and 6% of total legislative process (formerly known as
global annual turnover. This applies to 'co-decision'). Both the Parliament and
prohibited AI practices, as well as to any Member States must jointly agree the final
non-compliance with the data and data wording of the legislation before it can be
governance requirements for high-risk formally adopted. Interestingly, the
AI systems. European Commission has launched
another public consultation, this time on
For non-compliance of the AI system with the AI Act. The feedback received will be
any other requirement or obligation, shared with the European Parliament and
administrative fines of up to the higher of Council so that it can be taken into
EUR 20,000,000 and 4% of total global account in the legislative process. The AI
annual turnover apply. Specific fines apply Act was opened for feedback for a
to the supply of incorrect, incomplete or minimum of eight weeks from 26 April
misleading information to relevant bodies/ 2021, with the deadline for submissions
authorities following a request (up to EUR set at 5 July 2021 (at the date of this
10,000,000 or 2% of total global annual note). Dates may further change.
turnover, whichever is the higher).
This provides yet another opportunity for
Member States are responsible for laying interested parties to have their say and
down the rules on penalties, including contribute to the legislative debate.
administrative fines, and for ensuring they
are implemented. Penalties must be The timing of the legislative process is
effective, proportionate and dissuasive. difficult to predict but the earliest we
With respect to a Member State's public could expect a final text to be agreed and
authorities and bodies, that Member adopted by the Parliament and Council is
State would determine to what extent 18-24 months from now (end of 2022 or
administrative fines could apply. first half of 2023), with a further period of
Administrative fines would be imposed by 24 months before it would become fully
The proposed AI Act marks national courts or other bodies in the applicable. The decision to propose a
a turning-point in the relevant Member State, as applicable, Regulation rather than a Directive means
regulation of AI. And it's only depending on its legal system. the new rules will be directly applicable
the start. It is one crucial and avoids the additional time that would
Different fines and different rules apply for have been required for national
part within a wider Union institutions, agencies and bodies, implementation.
framework being assessed and the European Data Protection
and designed in Europe for Supervisor is empowered to In any event, it would be a while before
the regulation of AI, and tech impose those fines. these new rules kick in.
more generally. The AI Act generally does not, on the We should also assume that the proposal
other hand, deal with the question of will undergo substantial changes as part
damages and indemnification. of the legislative process. The regulation
of AI is a controversial and thorny
question, with complex issues to be
managed and conflicting interests to be
—ALEXANDER KENNEDY balanced. Concerns and criticism are
Counsel, Commercial & Tech already being voiced, whether as regards
10 CLIFFORD CHANCE
THE FUTURE OF AI REGULATION IN EUROPE
AND ITS GLOBAL IMPACTshortfalls and loopholes in terms of A wider regulatory The four policy
addressing risks and protecting
framework expected for AI objectives of the
fundamental rights, or in terms of
Any discussion of AI involves key
the restrictions, burden and cost Co-ordinated Plan on
for businesses. questions around safety and liability, and
whether the existing regulatory framework Artificial Intelligence
The Parliament has already undertaken can address the new challenges and risks 2021 Review
significant work on the issues, having created by AI. The AI Act has not • Enabling the development and
adopted a number of documents on AI resolved all of these questions. uptake of AI in the EU: includes
including on a framework for ethical key initiatives around data sharing
aspects, a civil liability regime for AI and The review of the Co-ordinated Plan on and computing infrastructure
intellectual property rights for the AI, the second pillar of the Commission's
AI package announced on 21 April 2021, • AI excellence, "from the lab to
development of AI. However, several of
provides very useful insight on what can the market": includes funding
those aspects would in principle be
be expected. In addition to the AI Act, the networks of excellence centres,
addressed through separate legal
European Commission will be proposing: setting up the European Partnership
instruments to come, rather than through
on AI, Data and Robotics, and
the AI Act itself.
• In 2021 and beyond, necessary consolidating the European AI-on-
revisions of existing sectoral safety demand platform
A phased application legislation. This has already started with • AI for good: Ensuring that "AI
The new rules would generally apply from the Proposal for a Regulation on works for people and is a force
24 months after entry into force of the machinery products. Other examples for good in society": includes
AI Act. include the General Product Safety initiatives to foster talent and
Directive, with the Commission develop skills, and a policy
By exception, some provisions would apparently intending to adopt a framework to ensure trust in AI
begin to apply earlier. This is the case of proposal for its revision during systems. Beyond legislative
those on notifying authorities and notified Q2 2021. proposals, action areas include the
bodies, as well as on the European
• In 2022, measures to adapt the liability promotion of the Assessment List
Artificial Intelligence Board and national
framework to the specific challenges of for trustworthy AI (ALTAI)
competent authorities. They would apply
from three months following entry into new technologies and AI (other • Strategic leadership in 'high-
force. The point here is that the available information refers to Q4 2021 impact sectors': the focus is on
infrastructure regarding governance and – Q1 2022). This may include revising seven sectoral action areas, i.e. (i)
the conformity assessment system should the Product Liability Directive, as well climate and the environment, (ii)
be operational before the date of full as a legislative proposal regarding the health, (iii) robotics, (iv) the public
application. The provisions on penalties liability regime for certain AI systems. sector, (v) law enforcement,
would start to apply from 12 months Likewise, the AI Act does not address migration and asylum, (vi) mobility,
following entry into force of the AI Act. other key aspects related to AI, for and (vii) sustainable agriculture.
The rationale is to enable the Member instance specific challenges in terms of
States to define the applicable rules, intellectual property rights. The need to
notify the Commission and ensure they ensure that the IP framework is fit for the
are properly and effectively implemented digital age and address any changes
by the time the AI Act applies in full. deemed necessary to the existing legal
framework, is something that is picked up
Also, the AI Act addresses the important by the IP Action Plan announced by the
question of AI systems put on the market European Commission at the end of
or into service before the AI Act starts 2020. Naturally, the impact of the use of
applying in full. Putting aside the specific AI is a key part of that discussion.
case of large-scale IT systems in the
fields of freedom, security and justice
mentioned above, the AI Act would apply
only in case of significant changes in
design or intended purpose from the date
of full application of the AI Act.
CLIFFORD CHANCE 11
THE FUTURE OF AI REGULATION IN EUROPE
AND ITS GLOBAL IMPACTPERSPECTIVES FROM AROUND
THE WORLD
As with other EU initiatives, the proposal may have knock-on
Implementing AI governance
effects in other jurisdictions that are considering how to design
and compliance should be a
and implement their own regulatory regimes for AI. In any
priority for all Boards. The
event, the AI Act will be closely followed by governments,
proposed EU AI Act shows
policymakers and regulatory bodies globally. And non-EU
that global corporates need
companies will also need to consider what authorities in their
to keep pace with both
jurisdictions have to say about AI.
legislative change and
sectoral legislation. The
The UK The US
reputational and financial Although the UK's position on AI The Federal Trade Commission (FTC),
consequences of failing to matters post-Brexit is still evolving, the the general consumer protection
do so are material. UK has clearly indicated that it aims to regulator in the US, has asserted that it
be a world leader in AI. The UK has would be closely monitoring companies'
retained the GDPR, one of the only use of AI. In particular, the Commission
regulations around the world that deals has highlighted concern over AI
directly with automated decision- intended to be used for or that has the
making, and therefore AI, in domestic effect of discriminating against a
—KATE SCOTT law. In May 2020, the UK's data protected class, such as by race or
Partner, Litigation & protection regulator, the ICO, released gender. To this end, the FTC has set out
Dispute Resolution detailed guidance on explaining guidance for businesses to adopt when
decisions made with AI. This provides deploying AI functions, including
important clarity for businesses on how principles embodied in the AI Act such
to meet the requirements set out in the as transparency and monitoring. US
UK GDPR. The UK House of Lords has banking regulators are also seeking
also warned that a solely self-regulatory comment on the use of AI by financial
approach, based on organisations institutions, suggesting further guidance
producing their own ethical AI codes of may be forthcoming.
conduct, risks a lack of uniformity and
The US is approaching AI as enforceability. In March 2021, the UK APAC
Department for Digital, Culture, Media
they have other technology, and Sport announced its Ten Tech
Generally, and with the exception of
emphasising transparency the PRC, APAC jurisdictions have
Priorities. The priorities include helping
explored AI initiatives and provided
and explainability, as well as to set the rules of engagement for AI
high-level guidance but there has yet to
outputs. We can expect US use and leading the global debate on AI
be an enforcement regime in place
and governance. They have been
regulators to continue to released in advance of the UK's National
or underway.
bring enforcement actions in AI Strategy, which will be finalised in
The PRC
this area. 2021 and will bring together the policy
Within APAC, the PRC is leading to look
and regulatory recommendations made
into AI regulations, releasing the long-
to the UK government on how to ensure
term action plan 'New Generation
safe and resilient development of AI. In
Artificial Intelligence Development Plan'
the meantime, we expect the UK to
in 2017 with specific goals in the
continue working closely with
regulatory regime of AI up to 2030,
—MEGAN GORDON competition, privacy, financial services
alongside the existing legal framework
Partner, Litigation & and other sector regulators to produce
such as the Cybersecurity Law which
Dispute Resolution meaningful guidance for companies
governs the use and processing of
working with AI, and to see continued
personal information. The AI Act will
enforcement relying on existing legal
certainly provide helpful referential value
requirements and ethical expectations.
for China to fine-tune its goals and
The UK, EU and other global AI players
milestones in terms of its AI
will also need to align and find areas
regulatory regime.
of harmony in order to further
boost innovation.
12 CLIFFORD CHANCE
THE FUTURE OF AI REGULATION IN EUROPE
AND ITS GLOBAL IMPACTOther key APAC jurisdictions dependent on existing regulations for
• Singapore: There is no centralised AI specific institutions such as FI, or
regulation (or even one being tabled). existing legislation that may apply to
Instead, there are several different specific aspects of the use of
issued guidelines dealing with AI technology/data such as the Personal
The proposed AI Act may
which, while not meant to be Data (Privacy) Ordinance.
prescriptive, are supposed to assist
provide a useful starting
• Japan: There is currently a lack of
organisations with implementing AI point for other jurisdictions
thematic guidance on specific
responsibly – the key guideline being applications of AI in Japan, although in deciding how best to
the PDPC's Artificial Intelligence there are high-level considerations implement AI regulatory
Governance Framework, followed by
the MAS's FEAT (which shares
relating to AI in its updated AML regimes of their own. This
guidelines (that AI output should be
broadly the same principles). may be all the more relevant
explainable and interpretable). AI
Naturally, that means that there are no regulation is largely undertaken via for jurisdictions such as
penalties specifically for misuse of AI individual enforcement actions by the Singapore, where the
either – although there can be under
other legislation such as the PDPA,
FSA (Financial Services Agency) current governance
based on the existing regulatory
provided they apply. framework appears based
framework against potential misuse
• Hong Kong: Similar to Singapore, (e.g. suspension order against a on similar core principles
there are currently no laws/regulations registered firm lending its name to and approach: transparency,
in Hong Kong that are specific to AI non-registered firms developing accuracy and the necessity
(with the exception of measures investment programmes).
for human oversight,
adopted to ban certain AI products
which may affect personal safety such
• Australia: The ASIC (Australian along with a
Securities and Investments
as self-driving AI). Local regulatory risk-sensitive approach.
Commission) has rolled out a detailed
bodies have released high-level ASIC Regulatory Guide which
guidance on AI and AI products, provides guidance that aims to assist
including the Hong Kong Monetary industry with understanding ASIC's
Authority's High-level Principles on AI, approach to regulating digital advice,
and the SFC's Guidelines on Online requiring regulated entities to put in
Distribution and Advisory Platforms. —IRIS MOK
adequate resources and to have
Any regulation of AI is largely Senior Associate, Litigation &
appropriate monitoring and testing.
Dispute Resolution
CLIFFORD CHANCE 13
THE FUTURE OF AI REGULATION IN EUROPE
AND ITS GLOBAL IMPACTAUTHORS
Dessislava Savova Gail Orton Alexander Kennedy Herbert Swaniker Thomas Voland Sanne Blankestijn
Partner Head of EU Public Counsel Lawyer Partner Associate
Paris Policy Paris London Dusseldorf Amsterdam
T: +33 1 4405 5483 Paris/Brussels T: +33 1 4405 5184 T: +44 207006 6215 T: +49 211 4355 5642 T: +31 20 711 9131
E: dessislava.savova@ T: +33 1 4405 2429 E: alexander.kennedy@ E: herbert.swaniker@ E: thomas.voland@ E: sanne.blankestijn@
cliffordchance.com E: gail.orton@ cliffordchance.com cliffordchance.com cliffordchance.com cliffordchance.com
cliffordchance.com
CONTACTS
Düsseldorf Hong Kong Singapore UK
Claudia Milbradt Brian Harley Iris Mok Paul Landless Xide Low Monica Freely
Partner Consultant Senior Associate Partner Senior Associate Senior Associate
Düsseldorf Hong Kong Hong Kong Singapore Singapore London
T: +49 211 4355 5962 T: +852 2826 2412 T: +852 2826 3585 T: +65 6410 2235 T: +65 6506 2783 T: +44 207006 2322
E: claudia.milbradt@ E: brian.harley@ E: Iris.Mok@ E: paul.landless@ E: xide.low@ E: monica.freely@
cliffordchance.com cliffordchance.com cliffordchance.com cliffordchance.com cliffordchance.com cliffordchance.com
Arnav Joshi Jonathan Kewley Stephen Reese Kate Scott Leigh Smith Phillip Souta
Senior Associate Partner Partner Partner Senior Associate Head of UK Public
London London London London London Policy
T: +44 207006 1303 T: +44 207006 3629 T: +44 207006 2810 T: +44 207006 4442 T: +44 207006 6235 London
E: arnav.joshi@ E: jonathan.kewley@ E: stephen.reese@ E: kate.scott@ E: leigh.smith@ T: +44 207006 1097
cliffordchance.com cliffordchance.com cliffordchance.com cliffordchance.com cliffordchance.com E: phillip.souta@
cliffordchance.com
US Warsaw
Megan Gordon Daniel Silver Alex Sisto Brian Yin Anna Biała
Partner Partner Associate Associate Counsel
Washington DC New York New York New York Warsaw
T: +1 202 912 5021 T: +1 212 878 4919 T: +1 212 878 4990 T: +1 212 878 4980 T: +48 22429 9692
E: megan.gordon@ E: daniel.silver@ E: alex.sisto@ E: brian.yin@ E: anna.biala@
cliffordchance.com cliffordchance.com cliffordchance.com cliffordchance.com cliffordchance.com
CLIFFORD CHANCE 14
THE FUTURE OF AI REGULATION IN EUROPE
AND ITS GLOBAL IMPACTThis publication does not necessarily deal with every important
topic or cover every aspect of the topics with which it deals.
It is not designed to provide legal or other advice.
www.cliffordchance.com
Clifford Chance, Avenue Louise 65, Box 2, 1050
Brussels, Belgium
© Clifford Chance 2021
Clifford Chance LLP is a limited liability partnership registered
in England and Wales under number OC323571
Registered office: 10 Upper Bank Street, London, E14 5JJ
We use the word ‘partner’ to refer to a member of
Clifford Chance LLP, or an employee or consultant with
equivalent standing and qualifications
If you do not wish to receive further information from
Clifford Chance about events or legal developments which we
believe may be of interest to you, please either send an email
to nomorecontact@cliffordchance.com or by post at
Clifford Chance LLP, 10 Upper Bank Street, Canary Wharf,
London E14 5JJ
Abu Dhabi • Amsterdam • Barcelona • Beijing • Brussels •
Bucharest • Casablanca • Delhi • Dubai• Düsseldorf •
Frankfurt • Hong Kong • Istanbul • London • Luxembourg •
Madrid • Milan • Moscow • Munich • Newcastle •
New York • Paris • Perth • Prague • Rome • São Paulo •
Seoul • Shanghai • Singapore • Sydney • Tokyo • Warsaw •
Washington, D.C.
Clifford Chance has a co-operation agreement with Abuhimed
Alsheikh Alhagbani Law Firm in Riyadh.
Clifford Chance has a best friends relationship with Redcliffe
Partners in Ukraine.
2105-000178You can also read
