After 36 hours of discussions, policymakers in the European Union have come to an agreement on the global standard for overseeing artificial intelligence.
The AI Act, a significant piece of legislation designed to regulate artificial intelligence based on its potential risks, was finalized following a trilogue involving the European Commission, Council, and Parliament on December 8, concluding the parliamentary process.
The negotiations, which tackled a record-breaking 21 issues, covered crucial topics such as governance, fundamental models, and available resources. Notably, disagreements emerged over sensitive law enforcement matters proposed by the Spanish EU Council presidency, leading to a temporary pause in negotiations. However, talks resumed the next day and extended late into the night.
Government Surveillance Oversight
France took the lead in advocating for strict oversight of AI technologies used in military or defense contexts within the EU, particularly when outsourced to external entities. The initial proposal highlights adherence to EU regulations in this area.
Banned Practices
The AI Act explicitly prohibits certain high-risk applications, including deceptive practices, exploitation of vulnerabilities, and social scoring systems. Additionally, Members of the European Parliament (MEPs) introduced a ban on databases employing mass visual image scraping techniques like Clearview AI.
To protect privacy, the legislation outlaws emotion recognition in workplaces and educational settings, as well as predictive policing tools that evaluate an individual’s likelihood of future criminal behavior based on personal traits. Lawmakers also pushed for a ban on AI systems that classify individuals by race, political views, or religious beliefs.
In response to global concerns, the Parliament made exceptions for real-time remote biometric identification in specific law enforcement scenarios like counterterrorism or suspect identification. However, strict conditions, including compliance with existing laws and prior authorization, were imposed to regulate these exceptions, with oversight responsibilities resting with the Commission to prevent potential abuses.
Furthermore, lawmakers stressed that restrictions should apply not only to systems operating within the EU but also to EU-based companies exporting these banned applications. However, due to perceived legal uncertainties, trade restrictions in this context were not enforced.
Identification of High-Risk Scenarios
The AI regulation outlines a comprehensive list of use cases deemed to pose significant risks to individuals’ safety and fundamental rights. The criteria for identifying high-risk applications are meticulously detailed, focusing on sectors like education, critical infrastructure, law enforcement, and public services.
While suggestions to include cultural media classification systems under the Digital Services Act were made, they were ultimately left out of the agreement. Parliament introduced new use cases such as border surveillance and AI systems for predicting migration patterns.
Law Enforcement Exceptions
The Council proposed exemptions for law enforcement agencies, including exceptions to the four-eye principle in exceptional circumstances and the exclusion of sensitive operational data from transparency requirements. Providers of high-risk systems and public bodies are required to register in an EU database, with a confidential section accessible only to an independent regulatory body.
In critical situations related to public safety, law enforcement agencies may deploy high-risk programs that have not undergone conformity assessments, subject to administrative approval.
Impact Assessment on Fundamental Rights
MEPs on the center-left advocated for public and private entities providing public services, such as hospitals, schools, and financial institutions, to conduct impact assessments on fundamental rights when implementing high-risk AI systems.
Supply Chain Responsibility
To ensure accountability under the AI law, downstream financial entities responsible for high-risk AI applications, including common AI models like ChatGPT, must provide comprehensive information. Additionally, small and medium-sized enterprises (SMEs) and startups are prohibited from imposing overly strict contractual terms on component suppliers integrated into high-risk AI systems.
Fines and Schedule
Penalties for violations range from a minimum percentage of annual global turnover to substantial fines for severe breaches of prohibited applications, non-compliance with provider obligations, and inaccurate information provision. The AI Act will be enforced after two years, with a six-month transition period preceding enforcement. Specific requirements for high-risk AI systems, powerful AI models, conformity assessment bodies, and governance will be gradually implemented starting one month before the enforcement date.