As artificial intelligence (“AI”) continues to make inroads in its use, as well as the amount of data it consumes, attention has turned to its regulation. The UK has a National AI Strategy which has some initial stages of consideration and statements of aim. In the meantime, the EU has released a draft Artificial Intelligence Act and looks to set out a far more comprehensive approach. These two jurisdictions’ approaches will be summarised below, as to be an indication of how the AI market will continue to grow and be shaped.
The European Commission released its highly anticipated draft Artificial Intelligence (AI) Act on 21 April 2021 (the “Act”). The Act is expected to be formally issued in 2023. It represents the most ambitious attempt to regulate AI technologies to date, setting out a cross-sectoral regulatory approach to the use of AI systems across the EU.
In the UK, the Office for Artificial Intelligence, Department for Digital, Culture, Media & Sport, and the Department for Business, Energy & Industrial Strategy together issued the UK’s National AI Strategy (“NAS”) on 22 September 2021.
THE UK’S NATIONAL AI STRATEGY (NAS)
The NAS aim is to provide consideration that the national and international governance of AI technologies correctly balances, with the aim to encourage innovation, investment, and protect the public and fundamental human values.
The NAS is meant to run for 10 years from September 2021 and sits more on the consideration and information gathering end of AI regulation, which contrasts with the EU’s approach. Currently, none of the regulatory aims of the NAS indicate an explicit undertaking to issue a new all-inclusive AI law.
However, the NAS lays down the necessary foundation for a law to be issued later, as some of the governance aims envisage:
- a new consultation on determining the role of data protection in wider AI governance;
- developing an all-of-government approach to international AI activity;
- publishing a White Paper on a pro-innovation national position on governing and regulating AI; and
- working with The Alan Turing Institute to update guidance on AI ethics and safety in the public sector.
The EU’s Act and the NAS governance aims are expected to expedite the UK’s AI regulatory developments and may even lead to the issuance of the UK’s first AI-focused law soon after the EU’s Act is issued in 2023.
While the proposed AI regulation will still need to go through the EU’s ordinary legislative procedure before entering into force, it is recommended that both users and providers of AI systems consider the repercussions of such regulation as early as possible to ensure smooth compliance once the AI Act is issued. Moreover, since the UK Government issued its NAS, it is important to keep an eye on the milestones set in the plan and the effects on AI systems users and providers, specially that the NAS is expected to be heavily influenced by the EU’s Act.
THE EU DRAFT AI ACT
Act’s Definition of AI
The Act, as a strong indicator of its goal to regulate the industry, contains a very broad definition of AI:
‘Any software that is developed with one or more of the techniques and approaches listed in Annex I and can, for a given set of human-defined objectives, generate outputs, such as content, predictions, recommendations, or decisions influencing the environments they interact with.’
While the list in draft Annex 1 specifies techniques that fall under the umbrella of machine learning, it also specifies that ‘statistical approaches’ in general will be considered amongst the suite of AI techniques. This is wider in scope than most definitions of AI and would mean that software not commonly considered as using AI would be covered by the regulation.
Scope of application
The Act: (i) will apply to both private and public sectors that are considered providers and/or users of AI; and (ii) has an extraterritorial effect, as it will apply to providers in third countries who provide services with AI systems in the European market.
The Act’s four-tiered risk approach categorises AI systems based on the threat posed on one’s health, safety and/or fundamental right and freedoms including the right to privacy. The Act then sets out proportionate requirements and obligations based on the risk level. The four categories and some indicative requirements are as follows:
|Minimal or no Risk
|Examples of AI systems
Distortion of human behaviour
Exploitation of children
|Real-time remote biometric identification AI system
Safety components in medical devices
|Prior and/or post implementation conformity assessments
Voluntary adherence to codes of conduct
|No restrictions but voluntary adherence to codes of conduct is encouraged
Potential Exposure and Liability
There are levels of risk and potential fines and remedies that are set out in the draft Act. In a mirroring of the GDPR, there are substantial fines in the event of non-compliance, but a regulator could also require the withdrawal of the AI system in use and potentially other commercially damaging reputational publications.
Infringers can potentially face fines which vary according to the risk and the severity of the breach. The tiers in the draft Act are:
|Breach according to the Draft Act
|Potential fine in accordance with the Draft Act
|breaching the prohibition on unacceptable-risk AI system or infringing the data governance provisions for high-risk AI systems
|up to the higher of EUR 30 million and 6% of the total worldwide annual turnover
|non-compliance of AI systems with any other requirement under the Draft AI Regulation
|up to the higher of EUR 20 million and 4% of the total worldwide annual turnover
|supplying incorrect, incomplete, or false information to notified bodies and national authorities
|up to the higher of EUR 10 million and 2% of the total worldwide annual turnover
Please contact Jose Saras if you have any questions regarding the above.
The material contained in this article is only for general review of the topics covered and does not constitute any legal advice. No legal or business decision should be based on its content.