The European Parliament has given the final nod to far-reaching rules on artificial intelligence that the EU hopes will both harness innovation and defend against harms.
The law, known as the “AI Act”, was first proposed in April 2021 by the European Commission, the EU’s executive arm.
But it was only after Microsoft-funded ChatGPT burst onto the scene in late 2022 that the real AI contest began – and also the race to regulate.
China and the United States last year introduced regulation on AI but the European Union’s law is the most comprehensive.
The EU will take a staggered approach to applying the law.
Outright bans on forms of AI considered highest-risk will kick in later this year, while rules on systems like ChatGPT will apply 12 months after the law enters into force, and the rest of the provisions in 2026.
AI models
As EU negotiators debated the text, tensions within and lobbying from outside were at their highest over how to regulate general-purpose AI models, like chatbots.
Developers of such models will have to give details about what content they used – such as text or images – to train their systems and comply with EU copyright law.
There are a greater set of requirements for models, for example OpenAI’s latest ChatGPT-4 and Google’s Gemini, that the EU says pose “systemic risks”.
Those risks could include causing serious accidents, being misused for far-reaching cyberattacks, or to propagate harmful biases online.
Companies offering these technologies must assess and mitigate the threats, track and report serious incidents – like deaths – to the commission, take action to ensure cybersecurity and give details about their models’ energy consumption.
The commission has already established the AI office that will enforce the rules on general-purpose AI.
Risk-based approach
The EU looks at AI systems from the perspective of risk to democracy, public health, rights and the rule of law.
High-risk products such as medical devices, those used in education or systems used in key infrastructure like water, face more obligations to mitigate any danger.
For example, high-risk providers must develop the systems with quality data, ensure human oversight and maintain robust documentation.
Even after they place their product on the market, providers have to keep a close eye.
EU citizens will have the right to complain about AI systems, while public bodies must register the high-risk AI systems they deploy in a public EU database.
Breaking the rules can be costly.
The EU can slap AI providers with fines ranging between 7.5 million and 35 million euros, or between 1.5 and 7% of a company’s global turnover, depending on the size of the violation.
The rules also stipulate that citizens should be aware when they are dealing with AI.
For example, deepfake images produced using AI must be labelled as such while chatbots must say that they are AI-powered in their interactions.
Bans
There are some types of AI banned by the EU because the risks they pose are considered too great.
These include predictive policing, emotion recognition systems in workplaces or schools and social scoring systems that assess individuals based on their behaviour.
The law also bans police officers using real-time facial recognition technology, with exceptions for law enforcement if they are searching for an individual convicted or suspected of a serious crime, such as rape or terrorism.
Police can ask to use the technology to find victims of kidnapping or trafficking – subject to approval from a judge or another judicial authority, and for a use limited in time and location.