The EU Approach to the Regulation of Artificial Intelligence

The advancement of technologies leads to increasing application of various algorithms that can develop on the basis of machine learning. Therefore, an issue of special importance is the approach to the regulation of artificial intelligence and its application in various spheres of economic and administrative activities.

At present, the European Commission has submitted a proposal for a Regulation laying down harmonised rules on artificial intelligence (Artificial Intelligence Act). The legislative proposal states explicitly that the choice of a regulation as a legal instrument is justified by the need for safeguards of a uniform application of the rules and the security of all entities to which is applies throughout the EU territory. Its scope will cover all systems using artificial intelligence within the EU, including those which are located physically within the territory of third countries if the result of their operation is used in the EU. Of course, a pertinent issue is what will happen if the result is not used within the EU. In such cases, it will be relevant to assess the type of data being processed: data that are not subject to special collection and use arrangements can be processed freely, whereas the processing of regulated data, such as personal data, will have to comply with the applicable data protection rules before the relevant system begins their processing.

The first question to be answered in the Regulation relates to the concept of artificial intelligence because of the ongoing debate at the European Council on the appropriateness of the proposed approach. For the time being, it is proposed to define artificial intelligence (AI) as software that can, for a given set of human-defined objectives, generate outputs such as content, recommendations, predictions, or decisions influencing the environment they interact with. To make this concept flexible and robust, it is important to specify the technologies that are used in the development of the software so as to recognise the existence of an artificial intelligence system. These technologies will be listed in an Annex to the Regulation and the European Commission will be able to amend the list.

There are several sets of rules applicable to the systems within the scope of the Regulation as follows:

  1. Placement on the market and use of artificial intelligence systems;
  2. Prohibition of certain artificial intelligence practices;
  3. Specific requirements for high-risk systems;
  4. Transparency rules applicable to systems intended to interact with humans, or are used for emotion recognition or biometric categorisation, or are used to generate or manipulate image, audio or video content;
  5. Market surveillance rules.

Although the spheres of artificial intelligence regulation are listed in that order in Article 1 of the proposal for a Regulation, the prohibition of certain practices comes first. The group of prohibited practices covers the following:

  • Systems that deploy subliminal techniques beyond a person’s consciousness as a result of which harm can be caused to a person;
  • Systems that exploit vulnerabilities of a specific group of persons as a result of which harm can be caused to a person;
  • Systems for the evaluation or classification of the trustworthiness of persons based on their social behaviour, with the social score leading to detrimental or unfavourable treatment of these persons in social contexts which are unrelate to the contexts in which the data was originally collected, or detrimental or unfavourable treatment that is disproportionate to the social behaviour of these persons;
  • Systems used for real-time remote biometric identification (some derogations are envisaged for certain objectives but only by way of exception).

The proposal for a Regulation contains artificial intelligence rules applicable to high-risk systems. These are the systems intended to ensure the safety of products and services listed in Annex II to the Regulation and required to undergo a third-party conformity assessment. Furthermore, high-risk systems may be listed in Annex III to the Regulation and the European Commission is empowered to add systems to that list. Risk management systems are required for the use of high-risk systems. A noteworthy novelty in the legislative approach is the introduction of rules which apply not only to the artificial intelligence functioning but also to the inputs on which this functioning is based. Besides, there are explicit requirements for the whole technical documentation to be transparent and comprehensible to users, and for the logging of all operations. All high-risk systems must be under human oversight at any point of time. The proposal for a Regulation contains a number of additional obligations assigned to artificial intelligence developers and to persons who put artificial intelligence into service.

The fulfilment of these requirements will be established through conformity assessment in accordance with harmonised standards published in the Official Journal of the EU, or standard specifications approved by the European Commission. Where they do not comply with the standards, artificial intelligence providers will be required to duly justify that they have adopted equivalent measures. The conformity assessment procedure envisaged in the Regulation will be based on either internal control or involvement of a notified body referred to in the Regulation. Notified bodies are subject to approval by the notifying authorities designated by each Member State.

The artificial intelligence regulation also contains certain transparency rules for systems which are not classified as high-risk. These obligations make sure that each person is informed that he or she interacts with an AI-based system. Further disclosure of information is required when the system recognises human emotions or collects biometric data. Systems generating or manipulating image, audio or video content (for the creation of “deep fake”) must disclose that the content has been artificially generated or manipulated.

The proposal for a Regulation specifies some investment promotion measures, such as regulatory sandboxes for the development of artificial intelligence, including the option for re-use of personal data collected for other purposes, i.e. a derogation from the rules laid down in the General Data Protection Regulation.

The enforcement of the artificial intelligence regulation measures is proposed to be governed through the establishment of a European Artificial Intelligence Board and the designation of national competent authorities. Measures are envisaged to ensure that artificial intelligence systems are either brought into conformity or withdrawn or recalled from the market where they present a risk at national level.

The proposed measures will be subject to lengthy negotiations but the proposal for a Regulation gives a clear picture of the general thrust of the legislation regulating artificial intelligence.