Jun 62024

One Step Closer: AI Act Approved by Council of the EU

William RM Long, Francesca Blythe and Arthur Clover
, , , ,

On 21 May 2024, the Council of the European Union approved the EU Artificial Intelligence Act (the “AI Act”). This is the final stage in the legislative process and comes after the EU Parliament voted to adopt the legislation on 13 March 2024. This final vote clears the path for the formal signing of the legislation and its publication in the Official Journal of the EU in the coming weeks. The AI Act will then enter into force 20 days after such publication with staggered transition periods of 6 to 36 months.

This flagship legislation – the world’s first standalone law governing the use of AI – assumes a risk-based approach; i.e., the higher the risk of harm to society an AI use case poses, the more onerous the rules that are triggered. The AI Act applies to all sectors and industries, imposing new obligations on product manufacturers, providers, deployers (i.e., users), distributors and importers of AI systems. These obligations relate to, for example, conformity assessments, data quality, technical documentation and standards, record retention, transparency and human oversight. The AI Act also applies extra-territorially; e.g., to providers based outside the EU who place an AI system on the EU market and to providers and deployers based outside the EU where the AI system output is intended for use in the EU.

Importantly, the EU is aiming for the AI Act to have the same ‘Brussels effect’ as the GDPR — in other words, to have a significant impact on global markets and practices and to serve as a potential blueprint for other jurisdictions looking to implement AI legislation. Click here to visit Sidley’s AI Monitor.

Given the particular impact of the obligations of the AI Act and the structural changes this may have on AI systems and other products, organisations are taking action to consider and implement the requirements of the AI Act well before the end of the transition period. Additionally, it is important to remember that European authorities and courts are already starting to regulate AI on the basis of adjacent legal frameworks that apply today, such as the GDPR.

From a practical perspective, businesses should consider doing the following:

  • Assess whether the business is using AI and whether such AI systems are considered high- or limited-risk.
  • Determine if and how the AI Act requirements for such high- or limited-risk systems can be met.
  • Review other AI regulations and industry or technical standards, such as the NIST AI standard, to determine how these standards can be applied to the business.
  • Develop an AI governance program, which accounts for both the AI Act and other developing AI regulations and standards in other jurisdictions.

Read more: Top 10 questions about the AI Act.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

William RM Long

London

wlong@sidley.com

Francesca Blythe

London

fblythe@sidley.com

Arthur Clover

Trainee Solicitor

aclover@sidley.com

You might also like
Heightened Focus in the EU for the Protection of Minors Online

The protection of minors online continues to be a focus for EU regulators. Following the publication last year by the European Parliament of its guidelines on online age verification methods for children, the European Commission has recently announced it will be holding a dedicated stakeholder workshop in September 2024 to discuss guidelines for age verification and protecting minors. Whilst the issue has been flagged as a priority by the European Data Protection Board (“EDPB”) and we are seeing an increase in guidelines and (in some cases) laws addressing the issue at a national Member State level, this is also a focus of the new EU Digital Services Act (“DSA”).

An Artificial Intelligence, Privacy, and Cybersecurity Update for Indian Companies Doing Business in the United States and Europe

Pivotal shifts have occurred in global data privacy, artificial intelligence (AI), and cybersecurity from executives facing more pressure to monitor their organizations’ cybersecurity operations, to an unprecedented wave of consumer data privacy laws and rapid advancements in AI technology use and deployment. Indian organizations should establish best practices to address these new (and emerging) laws, regulations, and frameworks.

U.S. SEC Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information Amendments Adopted

On May 16, 2024, the U.S. Securities and Exchange Commission (SEC) adopted amendments to its Regulation S-P. These final amendments impose significant cybersecurity requirements for several SEC-registered entities and transfer agents registered with another appropriate regulatory agency, including with respect to these entities’ policies and procedures, incident response and notification procedures, and cybersecurity risk management.