The Council of the European Union adopted the EU AI Act on May 21, 2024. This significant legislation is set to be officially published in the EU Official Journal during the second half of July, with its enforcement likely starting in August. The timing is slightly delayed from the previously anticipated July start. However, several legal provisions related to artificial intelligence (AI) are already in effect.
Implementation Timeline and Immediate Actions
The European Commission’s internal timeline for implementing the AI regulation will be adjusted accordingly, now expecting the regulation to be fully applicable 24 months after its entry into force. Importantly, the ban on AI systems posing unacceptable risks will be effective six months after the act comes into force. This implies that, by February 2025, companies will need to cease using prohibited AI technologies or face significant fines, akin to those under the General Data Protection Regulation (GDPR).
Data Privacy and Immediate Compliance Requirements
Immediate action is required regarding AI’s use and data privacy, as the GDPR is already applicable. The German Data Protection Conference (DSK) issued guidance on May 6, 2024, titled “Artificial Intelligence and Data Protection – Version 1.0,” outlining numerous legal requirements. This guidance applies to any AI application processing personal data.
Key Points from DSK Guidance:
- Lawful Training of AI: Data controllers must verify and document that the AI applications they use have been trained lawfully according to data privacy laws.
- Accuracy of AI Outputs: Businesses must ensure that the AI systems produce accurate results, which can be challenging to verify in practice.
- Preference for Closed Systems: The DSK recommends using closed systems over open systems (e.g., cloud-based), particularly in legally significant decision-making areas.
- Internal Regulations and Training: Companies should establish internal regulations for AI use and train their employees accordingly.
- Third-Party AI Systems: Separate data processing agreements or joint controller agreements under GDPR must be in place when using third-party AI systems.
The Role of the AI Office in Brussels
The new AI Office in Brussels will play a critical role in ensuring a uniform European AI governance system. This office will be instrumental in implementing the AI Act and shaping future regulations. Businesses are advised to stay informed about new rules issued by the AI Office and to actively participate in discussions on AI governance.
Navigating the New AI Landscape
The introduction of the EU AI Act marks a significant step towards regulating AI technologies, ensuring their safe and non-discriminatory use across various sectors. Businesses must start preparing for these changes by adhering to current data privacy laws and anticipating new regulations. Close monitoring of developments and proactive engagement in AI governance will be crucial for navigating this evolving landscape.
For more details, refer to the original article by Morgan Lewis: The EU AI Act Is Coming – With Numerous Legal Consequences.