The EUâs proposed AI act was endorsed by the European parliament on Wednesday, and is a milestone in regulating the technology. The vote is an important step towards introducing the legislation, which now requires the formal approval of ministers from EU member states.
Consumers will not notice an immediate difference, given that the act will be implemented over a period of three years, but it will answer some concerns over the technology.
âUsers will be able to trust that the AI tools they have access to have been carefully vetted and are safe to use,â said Guillaume Couneson, partner at law firm Linklaters. âThis is similar to users of banking apps being able to trust that the bank has taken stringent security measures to enable them to use the apps safely.â
The bill matters outside the EU because Brussels is an influential tech regulator, as shown by GDPRâs impact on the management of peopleâs data. The AI act could do the same.
âMany other countries will be watching what happens in the EU following the adoption of the AI Act. The EU approach will likely only be copied if it is shown to work,â Couneson added.
How does the bill define AI?
A basic definition of AI is a computer system that carries out tasks you would normally associate with human levels of intelligence, such as writing an essay or drawing a picture.
The act itself has a more detailed take, describing the AI technology it regulates as a âmachine-based system designed to operate with varying levels of autonomyâ, which obviously covers tools like ChatGPT.
This system may show âadaptiveness after deploymentâ â ie it learns on the job â and infers from the inputs it receives âhow to generate outputs such as predictions, content, recommendations or decisions that can influence physical or virtual environmentsâ. This definition covers chatbots, but also AI tools that, for instance, sift through job applications.
As detailed below, the legislation bans systems that pose an âunacceptable riskâ, but it exempts AI tools designed for military, defence or national security use, issues that alarm many tech safety advocates. It also does not apply to systems designed for use in scientific research and innovation.
âWe fear that the exemptions for national security in the AI Act provide member states with a carte blanche to bypass crucial AI regulations and create a high risk of abuse,â said Kilian Vieth-Ditlmann, deputy head of policy at German non-profit organisation Algorithmwatch, which campaigns for responsible AI use.
How does the bill tackle the risks posed by AI?
Certain systems will be prohibited. These include systems that seek to manipulate people to cause harm; âsocial scoringâ systems that classify people based on social behaviour or personality, like the one in Rongcheng, China, where the city rated aspects of residentsâ behaviour; Minority Report-style attempts at predictive policing; monitoring peopleâs emotions at work or in schools; âbiometric categorisationâ systems that sift people based on their biometric data (retina scans, facial recognition, fingerprints) to infer things such as race, sexual orientation, political opinions or religious beliefs; and compiling facial recognition databases through scraping facial images from the internet or CCTV.
Exemptions for law enforcement
Facial recognition has been a contentious factor in the legislation. The use of real-time biometric identification systems â which covers facial recognition technology on live crowds â is banned, but allowed for law enforcement in a number of circumstances. Law enforcement can use such technology to find a missing person or prevent a terror attack, but they will need approval from authorities â although in exceptional circumstances it can be deployed without prior approval.
What about systems that are risky but not banned?
The act has a special category for âhigh riskâ systems that will be legal but closely observed. Included are systems used in critical infrastructure, like water, gas and electricity, or those deployed in areas like education, employment, healthcare and banking. Certain law enforcement, justice and border control systems will also be covered. For instance, a system used in deciding whether someone is admitted to an educational institution, or whether they get a job, will be deemed high-risk.
The act requires these tools to be accurate, subject to risk assessments, have human oversight, and also have their usage logged. EU citizens can also ask for explanations about decisions made by these AI systems that have affected them.
What about generative AI?
Generative AI â the term for systems that produce plausible text, image, video and audio from simple prompts â is covered by provisions for what the act calls âgeneral-purposeâ AI systems.
There will be a two-tiered approach. Under the first tier, all model developers will need to comply with EU copyright law and provide detailed summaries of the content used to train the model. It is unclear how already-trained models will be able to comply, and some are already under legal pressure. The New York Times is suing OpenAI and Getty Images is suing StabilityAI, alleging copyright infringement. Open-source models, which are freely available to the public, unlike âclosedâ models like ChatGPTâs GPT-4, will be exempt from the copyright requirement.
A tougher tier is reserved for models that pose a âsystemic riskâ â based on an assessment of their more human-like âintelligenceâ â and is expected to include chatbots and image generators. The measures for this tier include reporting serious incidents caused by the models, such as death or breach of fundamental rights, and conducting âadversarial testingâ, where experts attempt to bypass a modelâs safeguards.
What does it mean for deepfakes?
People, companies or public bodies that issue deepfakes have to disclose whether the content has been artificially generated or manipulated. If it is done for âevidentlyâ artistic, creative or satirical work, it still needs to be flagged, but in an âappropriate manner that does not hamper the display or enjoyment of the workâ.
Text produced by chatbots that informs the public âon matters of public interestâ needs to be flagged as AI-made, but not where it has undergone a process of human review or editorial control â which exempts content that has had human oversight. Developers of AI systems also need to ensure that their output can be detected as AI-made, by watermarking or otherwise flagging the material.
What do AI and tech companies think?
The bill has received a mixed response. The largest tech companies are publicly supportive of the legislation in principle, while wary of the specifics. Amazon said it was committed to collaborating with the EU âto support the safe, secure and responsible development of AI technologyâ, but Mark Zuckerbergâs Meta warned against overregulation. âIt is critical we donât lose sight of AIâs huge potential to foster European innovation and enable competition, and openness is key here,â the companyâs head of EU affairs said.
In private, responses have been more critical. One senior figure at a US company warned that the EU had set a limit for the computing power used to train AI models that is much lower than similar proposals in the US. Models trained with more power than 10 to the power of 25 âflopsâ, a measure of computing power, will be hit with burdensome requirements to prove they donât create system risks. This could prompt European companies to simply up stakes and move west to avoid EU restrictions.
What are the punishments under the act?
Fines will range from â¬7.5m or 1.5% of a companyâs total worldwide turnover â whichever is higher â for giving incorrect information to regulators, to â¬15m or 3% of worldwide turnover for breaching certain provisions of the act, such as transparency obligations, to â¬35m, or 7% of turnover, for deploying or developing banned AI tools. There will be more proportionate fines for smaller companies and startups.
The obligations will come into effect after 12 months, so at some point next year, once the act becomes law, prohibition of certain categories comes into force after six months. Providers and deployers of high-risk systems have three years to comply. There will also be a new European AI office that will set standards and be the main oversight body for GPAI models.