With fewer rough edges EU’s AI act is inching towards the finish line

Last autumn, we covered at length the European Union's forthcoming Artificial Intelligence Regulation, which is expected to have major global impact, similar to the GDPR. Although the regulation is still at the parliamentary stage, much have changed in the original text.

French and Czech presidencies on the bumpy road to compromise

The European Union’s legislative procedures are based on painstaking compromises and often years of tinkering, the EU's AI regulation is no exception. Much of the legislative process is based on a tug-of-war between the legislator's own interests, market actors - typically those seeking deregulation instead - and other non-market players (industry experts, fundamental rights activists, working groups in the European Parliament).

Compared to the first draft of the regulation, much of the text proposed under the French presidency has moved towards cautious compromises and simplification. The rules on AI regulatory sandboxes were simplified, the Commission were pushed to establish certain guidelines, and major concessions were made to the market, reducing the power of certain actors traditionally more inclined towards regulation (e.g. in the future European Artificial Intelligence Board, the EDPS would have only observer status together with the Commission).

The Czech Republic, which took over the Presidency of the Council of the European Union on 1^st of July, is expected to entrust Ivan Bartoš with the task of driving forward the European digital legislation package, including the AI Act. The 42-year-old Minister for Digitalization and Regional Development looks perfect for the job, as he not only has a strong background in IT (he has worked for several multinational corporations, including T-Mobile, and holds a PhD in information technology) but also a considerable experience on the field of fundamental rights. Although some expected Bartoš to strengthen privacy and fundamental rights aspects of the regulation, the initial proposal put forward by the Czech presidency, takes the French proposal further down a more market-compromising road and focuses on four groups of issues (definition of AI, requirements for high-risk systems, the verification regime and the national security exception) that are still contentious. The decision is likely a direct effect of the significantly changed priorities due to the war in Ukraine.

Main battlegrounds: the national security exception and facial recognition

Although the draft AI Regulation has generated much debate, national security and military exceptions have emerged as the most controversial topic. The majority of EU member states would want to see unrestricted use of artificial intelligence systems for national security and military purposes. While there is a logic behind the use of this exception, civil liberties advocates are rightly concerned that governments could use the national security card as a jolly joker and overreach well into fundamental rights territories. The Pegasus spyware scandal of 2021 caused a major backlash in many EU countries and showed the European public how national security rules are not uniform in all member states. The ability of governments to overreach and abuse law enforcement and intelligence functions are only restricted by local checks and balances, as well as the resilience of society, so the national security clause would allow for an uneven application of the regulation.

Another area of contention is the section of the draft regulation that would allow the use of mass facial recognition systems to locate missing persons and suspects of all major crimes and to avert threats that cannot be averted otherwise, effectively giving a free pass to the state to install and operate such systems on a permanent basis. However, the European Parliament and a number of fundamental rights groups are arguing for a total ban. From a data protection perspective, the objections are justified, and the concerns are shared by the European Data Protection Board and the European Data Protection Supervisor as well. The two European agencies issued a joint statement on the topic, calling for the ban of mass facial recognition practices in publicly accessible spaces.

How does EU’ AI Regulation affect you and your business?

The adoption of AI-based solutions is still in its early stages (in the European Union, only eight percent of companies use AI applications, according to EuroStat data), rapid growth is expected in the near future. Although global regulations are still to come, the market and customers are expected to force the adoption of specific controls and ethical AI practices much sooner. If your business is considering the use of AI solutions, it is recommended that you also take into account, on a consultative basis, the likely evolution of the European regulatory environment, as well as algorithm ethics and privacy considerations. If you need help with the process, please feel free to contact our consultants.