What is the EU AI Act and what does it mean for companies who use AI Solutions?

On the 13th of March 2024, the AI Act passed the scrutiny of the European Parliament and is ready to become a law of the Union. This comprehensive regulatory framework aims to govern the development and use of artificial intelligence (AI) across the European Union (EU).

The AI Act’s primary aim is to ensure that AI technologies are developed and used in a manner that is ethical, transparent, and respects fundamental rights, and covers a wide range of AI systems used in various sectors, including healthcare, transport, and finance.

In particular,

• it imposes that high-risk AI systems will be subject to strict regulatory requirements (such as those used in critical infrastructure, law enforcement, and employment)
• prohibits certain AI practices that pose significant risks to individuals or society such as human behaviour manipulation, the exploitation of vulnerabilities, or social scoring
• non-compliant organizations may face significant fines of up to €30 million or 6% of their global annual turnover, whichever is higher
• it introduces a conformity test for AI systems. This assessment is designed to foster accountability and only applies to AI systems classified as ‘high-risk’

Where does the AI Act Apply? Also outside the EU?

Like the GDPR, the AI Act carries significant extraterritorial implications. It extends its jurisdiction to providers who introduce AI systems in the EU market, regardless of their geographical location. Additionally, it encompasses providers or deployers situated outside the European Union whose AI systems are utilized within the EU.

Significant exclusions from the AI Act encompass AI systems regarding scientific research and development purposes are in place. Furthermore, the Act exempts research, testing, and development activities related to AI before market placement or deployment, excluding real-world testing.

When will the AI Act come into force?

The Act is currently undergoing a final review by lawyer-linguists and is anticipated to be formally adopted before the conclusion of the legislative session. Additionally, the law necessitates formal endorsement by the Council.

Upon publication in the Official Journal, the regulation will become effective after twenty days. It will become fully enforceable twenty-four months after it enters into force, with certain exceptions:

• prohibitions on restricted practices will take effect six months following the entry into force;
• codes of practice will be applicable nine months after entry into force;
• general-purpose AI regulations, including governance, will come into effect twelve months after entry into force;
• obligations for high-risk systems will be enforced thirty-six months after entry into force.

The AI Act and the GDPR: how to efficiently combine these regulations?

The AI Act does not affect or amend the GDPR or the ePrivacy Directive. However, the deployment of AI solutions must not interfere with GDPR principles, because these activities still involve the processing of personal data. These are some examples.

• Record of Processing Activities (RoPA): AI-related processes are processing activities that must be mapped in this important document.
• Privacy Impact Assessment (PIA) and/or Data Protection Impact Assessment (DPIA): a new processing activity with AI technology usually requires one of these risk assessment procedures.
• Technical and Organizational Security Measures (and other accountability measures): new policies (i.e. a comprehensive policy on AI use), procedures, and assessments (such as the Fundamental Rights Impact Assessment for high-risk AI systems or the conformity test for AI systems) are important to guarantee a safe and GDPR-compliant use of AI technology.

We are well-equipped and ready to help you handle the interactions between AI Governance and Data privacy! If you want to include AI compliance in your privacy journey, please contact us at info@dpoconsultancy.nl.