// HIGHLIGHT //
EU lawmakers reach a deal on AI Act
We have covered the contentious EU discussions over the AI Act. After 36 hours of negotiations over three days (22 of which were consecutive), a provisional agreement was finally reached.
Definition. The EU definition of AI is borrowed from OECD, which reads: ‘An AI system is a machine-based system that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that [can] influence physical or virtual environments. Different AI systems vary in their levels of autonomy and adaptiveness after deployment.
National security exemption. The proposed regulation won’t impede member states’ national security authority and excludes AI systems for military or defence purposes.
Another exemption. It also exempts AI solely for research, innovation, or non-professional use.
General purpose AI systems and foundation models. General AI systems, especially general-purpose AI (GPAI) models, must adhere to transparency requirements, including technical documentation, compliance with the EU copyright law, and detailed summaries about training content. Stringent obligations for high-impact GPAI models with systemic risks include evaluations, risk assessments, adversarial testing, incident reporting, cybersecurity, and energy efficiency considerations.
Foundation models. We don’t have many details here. What we know now is that the provisional agreement outlines specific transparency obligations for foundation models, large systems proficient in various tasks before they can enter the market. A more rigorous regime is introduced for high-impact foundation models characterised by advanced complexity, capabilities, and performance, addressing potential systemic risks along the value chain.
High-risk use cases. AI systems presenting only limited risk would be subject to very light transparency obligations, for example, disclosing that content was AI-generated. Obligations for AI systems classified as high-risk (due to their significant potential harm to health, safety, fundamental rights, environment, democracy and the rule of law) that address issues such as data quality and technical documentation include measures to prove that high-risk systems are compliant. Citizens can launch complaints about high-risk AI systems that affect their rights.
Banned applications of AI. Some applications of AI will be banned because they carry too high of a risk, i.e. they pose a potential threat to citizens’ rights and democracy. These include
- biometric categorisation systems that use sensitive characteristics (e.g. political, religious, philosophical beliefs, sexual orientation, race)
- untargeted scraping of facial images from the internet or CCTV footage to create facial recognition databases
- emotion recognition in the workplace and educational institutions
- social scoring based on social behaviour or personal characteristics
- AI systems that manipulate human behaviour to circumvent their free will
- AI used to exploit the vulnerabilities of people due to their age, disability, social or economic situation
Law enforcement exceptions. Negotiators reached an agreement on the use of remote biometric identification systems (RBI) in publicly accessible spaces for law enforcement, allowing post-remote RBI for targeted searches of persons convicted or suspected of serious crimes and real-time RBI with strict conditions for purposes like
- targeted searches of victims (abduction, trafficking, sexual exploitation),
- prevention of a specific and present terrorist threat, or
- the localisation or identification of a person suspected of having committed one of the specific crimes mentioned in the regulation (e.g. terrorism, trafficking, sexual exploitation, murder, kidnapping, rape, armed robbery, participation in a criminal organisation, environmental crime)
Additionally, changes were made to the commission proposal to accommodate law enforcement’s use of AI, introducing an emergency procedure for deploying high-risk AI tools and ensuring fundamental rights protection, with specific objectives outlined for the use of real-time remote biometric identification systems in public spaces for law enforcement purposes.
Governance. A new AI office within the commission will be advised by a scientific panel on evaluating foundation models and monitoring safety risks and will oversee advanced AI models and enforce common rules across EU member states. The AI Board, representing member states, will coordinate and advise the commission, involving member states in the implementation of regulation, while an advisory forum for stakeholders will offer technical expertise to the board.
Measures to support innovation. Regulatory sandboxes and real-world testing are promoted to enable businesses, particularly SMEs, to develop AI solutions without undue pressure from industry giants and support innovation.
Penalties. Sanctions for non-compliance range from EUR 35 million or 7% of the company’s global annual turnover for violations of the banned AI applications, EUR 15 million or 3% for breaches of the act’s obligations and €7,5 million or 1,5% for the supply of incorrect information. More proportionate caps on administrative fines for SMEs and start-ups are in the agreement.
Why it matters. The EU can now say it has drafted the very first Western AI law. The Spanish presidency has scored a diplomatic win, and, well, it’s good PR for everyone involved. Some countries are reportedly already reaching out to the EU for assistance in their future processes.
The draft legislation still needs to go through a few last steps for final endorsement, but the political agreement means its key elements have been approved – at least in theory. There’s quite a lot of technical work ahead, and the act does have to go through the EU Council, where any unsatisfied countries could still throw a wrench into the works. The act will go into force two years after its adoption, which will likely be in 2026. The biggest question is: Will technology move so fast that by 2026, the AI Act will no longer be revolutionary or even effective? Will we see another development the likes of ChatGPT, that would render this regulation essentially obsolete?
// DIGITAL POLICY ROUNDUP (27 NOVEMBER–13 DECEMBER) //
// READING CORNER //
ChatGPT: A year in review
ChatGPT recently turned one – delve into the trends it brought forward, which have shaped both industries and regulatory frameworks.
Geneva Manual on Responsible Behaviour in Cyberspace
The manual, which focuses on the roles and responsibilities of non-state stakeholders in implementing two UN cyber norms related to supply chain security and responsible reporting of ICT vulnerabilities, was launched by the Geneva Dialogue on Responsible Behaviour in Cyberspace last week.
Digital Watch Monthly December issue
In the December issue of the Digital Watch Monthly, we describe the four seasons of AI, summarise EU lawmakers’ negotiations on the AI Act, examine what Q* and Gemini mean for AGI, and delve into the delicate balance between combating online hate and preserving freedom of speech.
