The Investment Industry Association of Canada (IIAC) highlighted some of the key points from the recent EU approval of the Artificial Intelligence Act, the world’s first comprehensive legislation aimed at mitigating AI risks. The Act introduces a proportionate set of binding rules for AI systems. The type and content of the rules are tailored to the “intensity and scope of the risks that AI systems can generate”.
This risk-based approach prohibits certain “unacceptable” AI practices, and lays down requirements for high-risk AI systems, obligations for operators and transparency obligations for certain AI systems.
Some AI applications will be banned outright, such as those that “deploys subliminal techniques beyond a person’s consciousness or purposefully manipulative or deceptive techniques, with the objective, or the effect of, materially distorting the behavior of a person … thereby causing a person to take a decision that that person would not have otherwise taken in a manner that causes or is likely to cause that person … significant harm.”
Also banned will be “biometric categorization systems” that infringe on obligations under Union law intended to protect fundamental rights.
Strict requirements will apply to high-risk AI systems, for example, in education, healthcare, law enforcement, and critical infrastructure, and will be subject to a stricter risk-management policies, such as accountability and governance processes.
Compliance will be enforceable by means of the imposition of penalties and other enforcement measures. Administrative fines on providers and users of AI systems can be as high as €35 million or, if the offender is an undertaking, up to 7% of its total worldwide annual turnover for the preceding financial year, whichever is higher.
The law is expected to come into force in May 2024, following final endorsement by the European Council. The bans on prohibited practices will apply six months later, in November 2024. The general-purpose AI rules will apply in May 2025, and the obligations for high-risk systems in three years.
Each EU Member State will have 12 months to designate at least one notifying authority and at least one market surveillance authority as national competent authorities for the purpose of supervising the application and implementation of the law. Oversight by national authorities will be supported by the Artificial Intelligence (AI) Office inside the European Commission.