It’s the moment everyone has been waiting for. The AI Act has been agreed upon and that is all I shall be opening up with. More through here 👀
🤖 Artificial Intelligence
Trilogy negotiations on the AI Act were concluded. Welcome to the IT Law world, first-ever AI act. The document represents a significant step in AI regulation, and sets a precedent for global AI regulation, possibly mirroring the influence of the GDPR in data protection. The act clarifies the definition of AI systems, aligning with the OECD approach, and sets out the scope of application, including exemptions for military, defense, research, and non-professional use. The approach taken is risk-based, with specific provisions for different types of AI systems and uses, particularly focusing on high-risk and general-purpose AI. The governance structure and enforcement mechanisms are designed with aims to ensure compliance and promote a safe AI ecosystem within the EU. Without going into details, because well, weekly picks and news and all, here are some of the areas regulated with the AI Act, as reported by official channels:
- High-risk AI systems: High-risk AI systems are subject to specific requirements and obligations, with a focus on technical feasibility and reduced burdens for compliance.
- Prohibited AI practices and law enforcement issues: the Act extends the list of prohibited AI practices but allows limited use of remote biometric identification by law enforcement under strict conditions. There are specific provisions for the use of AI in law enforcement, balancing the need for operational efficiency with fundamental rights protection.
- Foundation models and systemic risks: The agreed upon text maintains a tiered approach to foundation models, with automatic categorization of systemic risk for models trained with specific computing power. Transparency obligations extend to all General Purpose AI (GPAI) models, including publishing summaries of training data. Systemic risk models face stricter obligations, including evaluation of systemic risks, cybersecurity protection, and energy consumption reporting.
- AI governance and enforcement: An AI Office will be established within the European Commission to supervise foundation models. The governance system will aim to enforce the common rules in all member states, with advisory roles from a scientific panel of independent experts and a coordination platform comprising member states’ representatives.
- Protection of fundamental rights: High-risk AI systems deployers will be required to conduct a fundamental rights impact assessment. Increased transparency is now required for the use of high-risk AI systems, including obligations for public entities and the use of emotion recognition systems.
- Penalties for non-compliance: Fines are set as a percentage of the offending company’s global annual turnover or a predetermined amount (ranging from 35 million euro or 7% of global turnover to 7.5 million or 1.5 % of turnover, depending on the infringement and size of the company), with more proportionate caps for SMEs and startups.
🎩 Competition
The UK’s Competition and Markets Authority (CMA) is soliciting comments on whether the partnership between Microsoft and OpenAI creates a “relevant merger situation” that could impact competition in the UK. This request is an early step in the CMA’s investigation, assessing the partnership’s implications in the rapidly advancing field of artificial intelligence and foundational models. The focus is on whether this collaboration, involving significant investment and strategic agreements, diminishes competition in AI development or use. The CMA is particularly interested in the partnership’s potential to alter control dynamics or market influence under the criteria of the Enterprise Act 2002.
🔐 Cybersecurity
ENISA published a report on the Denail-of Service (DoS) attacks threat landscape. ENISA reported that 66% of DoS attacks from January 2022 to August 2023 were politically motivated. The government administration sector was the most targeted, with these attacks largely fueled by geopolitical events, particularly the Russian-Ukrainian war. The report reveals that DoS attacks have become more frequent, easier to execute, and more aggressive. ENISA’s analysis highlights the challenges in detecting and analyzing DoS attacks due to the lack of concrete artifacts and varying quality of information. The study emphasizes the need for enhanced strategies to prevent and mitigate the impact of these increasingly sophisticated cyber threats.
🔏 Data Protection & Privacy
The CJEU ruled on profiling and decision-making, with a side of retention times. The GDPR restricts ‘scoring’, a predictive method for evaluating creditworthiness, and opposes the extended storage of data beyond public insolvency register timelines. The CJEU ruled that ‘scoring’ should be considered an automated decision, generally prohibited by the GDPR unless exceptions apply. For data on debt discharge, the court found it unlawful for private agencies to retain this information longer than the public register. The rights of individuals were deemed more important than public access to this data after six months. The court also had to decide whether SCHUFA’s parallel storage of this data for six months was lawful, acknowledging individuals’ rights to object to data processing and request data deletion.
The CJEU also ruled only a wrongful infringement of the GDPR may result in an administrative fine being imposed. The Court of Justice specified the criteria for imposing GDPR-related fines by national supervisory authorities. It stated that a fine can only be imposed if there is wrongful conduct, either intentional or negligent, in violating the GDPR. This applies regardless of whether the data controller’s management was aware of the infringement. Legal entities can be fined for breaches committed by any individual acting on their behalf. The Court also clarified joint control, stating that formal arrangements aren’t necessary for entities to be classified as ‘joint controllers’; shared decision-making is sufficient. However, joint controllers must establish their responsibilities through an agreement. Regarding fine calculations, the total turnover of the entire group or ‘undertaking’, as defined in competition law, should be considered, not just the individual entity’s turnover. This approach ensures fines are proportionate to the overall size and economic power of the group involved.
📄 Recommended Readings
Here’s a couple –in no particular order– of recent publications that piqued my interest this week. Remember to grab a cuppa and settle in for some riveting reading.
Regulating data intermediaries: The impact of the Data Governance Act on the EU’s data economy by Gabriele Carovano & Michèle Finck
Disclaimer: I am in no way affiliated with the authors or publishers in sharing these, and do not necessarily agree with the views contained within. I try to include mostly open access publications due to, well you know, accessibility of knowledge and science.
If you have any thoughts or suggestions on how to make this digest more enjoyable, feel free to drop a line. Your feedback is always welcome!
Featured image generated using DALL·E 3.
