Europe Seeks To Tame Artificial Intelligence With The World’s First Comprehensive Regulation – Technology – Worldwide – Mondaq News Alerts

admin on May 14, 2021 Leave a Comment

In what could be a harbinger of the future regulation ofartificial intelligence (AI) in the United States, the EuropeanCommission published its recent proposal for regulation of AI systems. Theproposal is part of the European Commission's larger European strategy for data, which seeks to"defend and promote European values and rights in how wedesign, make and deploy technology in the economy." To thisend, the proposed regulation attempts to address the potentialrisks that AI systems pose to the health, safety, and fundamentalrights of Europeans caused by AI systems.

Under the proposed regulation, AI systems presenting the leastrisk would be subject to minimal disclosure requirements, while atthe other end of the spectrum AI systems that exploit humanvulnerabilities and government-administered biometric surveillancesystems are prohibited outright except under certain circumstances.In the middle, "high-risk" AI systems would be subject todetailed compliance reviews. In many cases, such high-risk AIsystem reviews will be in addition to regulatory reviews that applyunder existing EU product regulations (e.g., the EU alreadyrequires reviews of the safety and marketing of toys and radio frequency devices such as smart phones,Internet of Things devices, and radios).

The proposed AI regulation applies to all providers that marketin the EU or put AI systems into service in the EU as well as usersof AI systems in the EU. This scope includes governmentalauthorities located in the EU. The proposed regulation also appliesto providers and users of AI systems whose output is used withinthe EU, even if the producer or user is located outside of the EU.If the proposed AI regulation becomes law, the enterprises thatwould be most significantly affected by the regulation are thosethat provide high-risk AI systems not currently subject to detailedcompliance reviews under existing EU product regulations, but thatwould be under the AI regulation.

The term "AI system" is defined broadly as softwarethat uses any of several identified approaches to generate outputsfor a set of human-defined objectives. These approaches cover farmore than artificial neural networks and other technologiescurrently viewed by many as traditional as "AI." In fact,the identified approaches cover many types of software that fewwould likely consider "AI," such as "statisticalapproaches" and "search and optimization methods."Under this definition, the AI regulation would seemingly cover theday-to-day tools of nearly every e-commerce platform, social mediaplatform, advertiser, and other business that rely on suchcommonplace tools to operate.

This apparent breadth can be assessed in two ways. First, thisdefinition may be intended as a placeholder that will be furtherrefined after the public release. There is undoubtedly no perfectdefinition for "AI system," and by releasing the AIregulation in its current form, lawmakers and interested partiescan alter the scope of the definition following public commentaryand additional analysis. Second, most "AI systems"inadvertently caught in the net of this broad definition wouldlikely not fall into the high-risk category of AI systems. In otherwords, these systems generally do not negatively affect the healthand safety or fundamental rights of Europeans, and would only besubject to disclosure obligations similar to the data privacyregulations already applicable to most such systems.

The proposed regulation prohibits uses of AI systems forpurposes that the EU considers to be unjustifiably harmful. Severalcategories are directed at private sector actors, includingprohibitions on the use of so-called "dark patterns"through "subliminal techniques beyond a person'sconsciousness," or the exploitation of age, physical or mentalvulnerabilities to manipulate behavior that causes physical orpsychological harm.

The remaining two areas of prohibition are focused primarily ongovernmental actions. First, the proposed regulation would prohibituse of AI systems by public authorities to develop "socialcredit" systems for determining a person'strustworthiness. Notably, this prohibition has carveouts, as suchsystems are only prohibited if they result in a "detrimentalor unfavorable treatment," and even then only if unjustified,disproportionate, or disconnected from the content of the datagathered. Second, indiscriminate surveillance practices by lawenforcement that use biometric identification are prohibited inpublic spaces except in certain exigent circumstances, and withappropriate safeguards on use. These restrictions reflect theEU's larger concerns regarding government overreach in thetracking of its citizens. Military uses are outside the scope ofthe AI regulation, so this prohibition is essentially limited tolaw enforcement and civilian government actors.

"High-risk" AI systems receive the most attention inthe AI regulation. These are systems that, according to thememorandum accompanying the regulation, pose a significant risk tothe health and safety or fundamental rights of persons. This boilsdown to AI systems that (1) are a regulated product or are used asa safety component for a regulated product like toys, radioequipment, machinery, elevators, automobiles, and aviation, or (2)fall into one of several categories: biometric identification,management of critical infrastructure, education and training,human resources and access to employment, law enforcement,administration of justice and democratic processes, migration andborder control management, and systems for determining access topublic benefits. The regulation contemplates this latter categoryevolving over time to include other products and services, some ofwhich may face little product regulation at present. Enterprisesthat provide these products may be venturing into an unfamiliar andevolving regulatory space.

High-risk AI systems would be subject to extensive requirements,necessitating companies to develop new compliance and monitoringprocedures, as well as make changes to products both on the frontend and the back end such as:

The regulation would impose transparency and disclosurerequirements for certain AI systems regardless of risk. Any AIsystem that interacts with humans must include disclosures to theuser they are interacting with an AI system. The AI regulationprovides no further details on this requirement, so a simple noticethat an AI system is being used would presumably satisfy thisregulation. Most "AI systems" (as defined in theregulation) would fall outside of the prohibited and high-riskcategories, and so would only be subject to this disclosureobligation. For that reason, while the broad definition of "AIsystem" captures much more than traditional artificialintelligence techniques, most enterprises will feel minimal impactfrom being subject to these regulations.

The proposed regulation provides for tiered penalties dependingon the nature of the violation. Prohibited uses of AI systems(subliminal manipulation, exploitation of vulnerabilities, anddevelopment of social credit systems) and prohibited development,testing, and data use practices could result in fines of the higherof either 30,000,000 EUR or 6% of a company's total worldwideannual revenue. Violation of any other requirements or obligationsof the proposed regulation could result in fines of the higher ofeither 20,000,000 EUR or 4% of a company's total worldwideannual revenue. Supplying incorrect, incomplete, or misleadinginformation to certification bodies or national authorities couldresult in fines of the higher of either 10,000,000 EUR or 2% of acompany's total worldwide annual revenue.

Notably, EU government institutions are also subject to fines,with penalties up to 500,000 EUR for engaging in prohibitedpractices that would result in the highest fines had the violationbeen committed by a private actor, and fines for all otherviolations up to 250,000 EUR.

The proposed regulation remains subject to amendment andapproval by the European Parliament and potentially the EuropeanCouncil, a process which can take several years. During this longlegislative journey, components of the regulation could changesignificantly, and it may not even become law.

Although the proposed AI regulation would mark the mostcomprehensive regulation of AI to date, stakeholders should bemindful that current U.S. and EU laws already govern some of theconduct it attributes to AI systems. For example, U.S. federal lawprohibits unlawful discrimination on the basis of a protected classin numerous scenarios, such as in employment, the provision ofpublic accommodations, and medical treatment. Uses of AI systems thatresult in unlawful discrimination in these arenas already posesignificant legal risk. Similarly, AI systems that affect publicsafety or are used in an unfair or deceptive manner could beregulated through existing consumer protection laws.

Apart from such generally applicable laws, U.S. laws regulatingAI are limited in scope, and focus on disclosures related to AI systems interacting with people or arelimited to providing guidance under current law in anindustry-specific manner, such as with autonomous vehicles. There is also a movementtowards enhanced transparency and disclosure obligations for userswhen their personal data is processed by AI systems, as discussedfurther below.

To date, no state or federal laws specifically targeting AIsystems have been successfully enacted into law. If the proposed EUAI regulation becomes law, it will undoubtedly influence thedevelopment of AI laws in Congress and state legislatures, andpotentially globally. This is a trend we saw with the EU'sGeneral Data Protection Regulation (GDPR), which has shaped newdata privacy laws in California, Virginia, Washington, and severalbills before Congress, as well as laws in other countries.

U.S. legislators have so far proposed bills that would regulateAI systems in a specific manner, rather than comprehensively as theEU AI regulation purports to do. In the United States, "algorithmic accountability"legislation attempts to address concerns about high-risk AIsystems similar to those articulated in the EU throughself-administered impact assessments and required disclosures, butlacks the EU proposal's outright prohibition on certain uses ofAI systems, and nuanced analysis of AI systems used by governmentactors. Other bills would solely regulate government procurementand use of AI systems, for example, California AB-13 and Washington SB-5116, leaving industry free todevelop AI systems for private, nongovernmental use. Upcomingprivacy laws such as the California Privacy Rights Act (CPRA) and theVirginia Consumer Data Protection Act (CDPA),both effective January 1, 2023, do not attempt to comprehensivelyregulate AI, instead focusing on disclosure requirements and datasubject rights related to profiling and automateddecision-making.

Ultimately, the AI regulation (in its current form) will haveminimal impact on many enterprises unless they are developingsystems in the "high-risk" category that are notcurrently regulated products. But some stakeholders may besurprised, and unsatisfied with, the fact that the draftlegislation puts relatively few additional restrictions on purelyprivate sector AI systems that are not already subject toregulation. The drafters presumably did so to not overly burdenprivate sector activities. But it is yet to be seen whether anyenacted form of the AI regulation would strike that balance in thesame way.

The content of this article is intended to provide a generalguide to the subject matter. Specialist advice should be soughtabout your specific circumstances.

View original post here:
Europe Seeks To Tame Artificial Intelligence With The World's First Comprehensive Regulation - Technology - Worldwide - Mondaq News Alerts

Related Posts
Posted in Artificial Intelligence

Comments are closed.