AI Act – What’s next?

After a record-long negotiation (36 hours), the EU Parliament declared on Friday, December 8, 2023, that they have successfully reached an agreement on the upcoming AI Act.

As of now, there is no official text available. The only official sources of information that we have are press releases from the EU institutions involved in the Trilogue and interviews given by the most involved MEPs.

Let’s shed some light on what comes next:

The AI Act has not been approved (yet)

Despite the wave of news concerning the AI Act on different medias, the AI Act has not been approved (yet). On Friday, December 8, the last step of the Trilogue negotiations (please follow this link for a Trilogue definition) took place, meaning that the Council and the EU Parliament reached a political agreement on the final version of the Act, initially proposed by the Commission in April 2021.

For the Act to be formally approved, we have to wait for the technical and legal-linguistic revision, and for the formal adoption of the finalized version by the Council and Parliament (planned for Q1 2024).

When will the Act come into force?

The current (provisional) agreement envisages a two-year grace period for the Act to become applicable, with some exceptions to facilitate a gradual compliance journey: bans on prohibited AI use cases will already apply after 6 months from the adoption of the AI Act, while provisions on general purpose AI systems after 12 months. An anticipated voluntary compliance is strongly encouraged, as specified by the MEPs in the press conference following the Trilogue.

Definition of AI

Wide negotiations surrounded the definition of AI, as this is of paramount importance in order to clearly identify and distinguish AI systems. In the provisional agreements, EU institutions compromised to align with the OECD updated definition:

“An AI system is a machine-based system that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments. Different AI systems vary in their levels of autonomy and adaptiveness after deployment.”

General Purpose AI (GPAI) and Foundation Model obligations

More stringent obligations have been introduced for GPAIs, in particular where such technology is integrated in high-risk systems. Specific provisions have been agreed also concerning foundation models, like enhanced transparency obligations and stricter regimes for “high impact” foundation models.

How does the AI Act protect fundamental rights?

A Fundamental Right Impact Assessment (FRIA) has been agreed and introduced in the Act. Such assessment is required for high-risk AI systems to be used in essential services such as hospitals, schools and banks, before it is placed in the market. More details on the FRIA will emerge in the next months.

Remote biometric identification systems – with exceptions

Remote biometric identification (RBI) in publicly accessible spaces was one of the hard knots faced by the MEPs during negotiations. Against the previously agreed general ban for these technologies to be used in the EU remains (“unacceptable risk AI systems” in the Act), negotiators agreed on a series of exceptions in the context of law enforcement.

“Post-remote” RBI is allowed if used to search a person convicted or suspected of having committed a serious crime. “Real-time” RBI can be used under strict obligations and limitations, only for specific purposes (e.g. prevention of a specific and present terrorist threat, targeted searches of victims and/or suspects of serious crimes such as terrorism, sexual exploitation, kidnapping, environmental crimes, etc).

Governance

At European level, the new European AI Office will be established within the EU Commission. At national level, the competent market surveillance authorities will be responsible for monitoring compliance with the AI Act.

Sanctions

Breaches of the obligations under the AI Act can result in heavy fines, ranging from €35 million or 7% of global turnover to €7.5 million or 1.5% of turnover. The amount of the fine depends on the specific type of infringement and the size of the company, as stated in the EU Parliament’s press release.

We will keep you updated on the next steps regarding the formal adoption of the AI Act.

Dott. Mag. Giulia Provini | 15. Dezember 2023 | Allgemein, Internationaler Datenschutz | AI, AI Act, Biometric data, data protection, English Posts, European Parliament, European Union, foundation models, General Purpose AI