On December 8, 2023, the European Parliament and the Council reached a political agreement on the EU’s Regulation laying down harmonized rules on Artificial Intelligence (the “AI Act”).
The AI Act will introduce a risk-based legal framework for AI. Specifically, the AI Act will state that: (1) certain AI systems are prohibited as they present unacceptable risks (e.g., AI used for social scoring based on social behavior or personal characteristics, untargeted scraping of facial images from the Internet or CCTV footage to create facial recognition databases, etc.); (2) AI systems presenting a high-risk to the rights and freedoms of individuals will be subject to stringent rules, which may include data governance/management and transparency obligations, the requirement to conduct a conformity assessment procedure and the obligation to carry out a fundamental rights assessment; (3) limited-risk AI systems will be subject to light obligations (mainly transparency requirements); and (4) AI systems that are not considered prohibited, high-risk or limited-risk systems will not be under the scope of the AI Act.
With respect to general purpose AI systems, the AI Act will also implement risk-based requirements. All general-purpose AI systems, and the models they are based on, will have to adhere to transparency requirements. High-impact general purpose AI models with systemic risk will be subject to additional obligations, including model evaluations, the obligation to assess and mitigate systemic risks, conduct adversarial testing, report to the European Commission on serious incidents, ensure cybersecurity, and report on their energy efficiency.
Non-compliance with the AI Act may lead to significant fines ranging from €35 million or 7% of annual global turnover for violations of the banned AI applications, €15 million or 3% of annual global turnover for violations of the AI Act’s obligations, and €7.5 million or 1.5% of annual global turnover for the supply of incorrect information to regulators.
Formal adoption of the AI Act is expected to take place early 2024. After the AI Act is formally adopted, organizations will have a transition period to implement the necessary compliance measures. The length of the transition period will vary depending on the type of AI system: (1) six months for prohibited AI systems; (2) 12 months for specific obligations applicable to certain higher risk AI systems; and (3) 24 months for all other obligations.
Read the press release from the European Parliament and the press release from the Council. See press conference following the agreement.