Artificial Intelligence Act — EU Law with a Global Impact
The breadth of the European Union’s proposed Artificial Intelligence Act is staggering. It has the potential to impact anyone and everyone using AI. How can businesses prepare now?
We are diving back into the European Union’s AI Act. Having reviewed the proposed law three things jump out to me:
- Classification of Risk — a formal recognition of a tiered system of AI risks. See here for more on that.
2. CapAI Tooling — CapAI is a University of Oxford researched tool providing a procedure around one element of the rule, AI conformity assessments
It is practical guidance on how to translate high-level ethics principles into verifiable criteria that help shape the design, development, deployment and use of ethical AI. We will be covering this in the coming weeks, so click that follow button!
3. Breadth of the Act — what we will cover today.
Defining the Roles in AI
In order to show exactly how wide this Act will travel, we need to dissect the various types of roles within the AI space.
Developers / Providers — entities developing AI systems or have an AI system developed with a view to placing it on the market / into service in the EU. Whether for payment or free of charge. Irrespective of whether providers are established within the EU or outside;
Importer — entities established in the EU that place on the market / put into service an AI system that bears the name / trademark of an entity outside the EU;
Distributors — any entity in the supply chain, other than the developer / provider or the importer, that makes an AI system available on the EU market without affecting its properties;
User — any entity, public authority, agency or other body using an AI system under its authority (excludes for where used in the course of a personal non-professional activity);
The regulatory obligations of each, bar the user, differing slightly.
Scope of EU Act
The Act states the regulation shall apply to:
a) providers placing on the market or putting into service AI systems in the Union, irrespective of whether those providers are established within the Union or in a third country;
b) Users of AI systems located within the Union;
c) Providers and Users of AI systems that are located in a third country, where the output produced by the system is used in the Union
As you can see from the diagram and the scope, any interaction between an AI product or service, directly or indirectly, with users in the EU, brings the provider into scope.
This means an entity developing a product or service using AI in say, South Africa, but which will make its offering available in the EU will need to comply with the EU AI Act. The reach is massive
Practical Next Steps
As outlined in my last post there are a range of requirements which are still to be finalized. The rule itself will likely not be signed into law until 2025, with a 2 year timeline to comply.
Having said that, there are broader steps entities can take now. Not only from an aspect of regulatory compliance, but in fostering trust and goodwill with investors, end users, and government agencies in an area of technology which will disrupt many.
Steps such as:
- Assessing data governance practices, especially on data leveraged to train models.
- Embed a habit of producing robust support documentation of AI systems, conformity assessments, documentational requirements and other obligations will all lean on these.
- Develop an internal incident reporting process related to your AI product / service / system.
- Re-review controls on handling personal data, in line with data governance as note above. within your business / firm.
GDPR, Data Governance Act, and others will be the pillars around which much of the AI act is enforced by. Good time to brush up on your control frameworks around those.
Thanks for reading! If you have concerns on how this might impact your business, or want to hear more, get in touch!
