The European Parliament recently passed the European Artificial Intelligence Act, 2024 (“Act”). The Act is a huge step in EU’s policy development concerning tech and data governance, adding to the existing GDPR & Data Act. The Act will come into force after some formalities are completed (20 days after both – official endorsement in April followed by an official publication).
Here’s a quick explainer regarding the key provisions of the Act and the impact on Indian startups and insurtechs.
Classification of AI Systems
The Act categorizes AI systems based on their risk. This risk level will determine how strictly the AI needs to be regulated. The classification is:
- Unacceptable/Prohibited AI- a. manipulative, deceptive techniques; b. exploitation of vulnerable; c. social scoring; d. biometrics identification systems at public places (subject to exceptions); e. individual profiling; f. scraping of facial images; g. infer emotions at workplace /educational institutions Certain exceptions for the use of tech by govt, law enforcement, medical, safety reasons or criminal profiling are provided
- High risk AI – includes critical infrastructure, education and vocational training, employment, essential services such as healthcare or banking, as well as law enforcement, migration and border management, justice, and democratic processes. As high risk AI forms a major part of the Act, it will be helpful to look at a detailed analysis of what is covered under high risk here
- The providers of high risk AI systems are required to implement risk management, data quality, transparency, human oversight and accuracy, obligations around registration, cybersecurity measures.
- Non-high risk AI uses, such as deepfakes, spam filters, video games etc are subject to self assessment & governance. User education about the use of AI is important here.
Entities
- The EU AI Act primarily covers AI deployment and activities happening within the EU. That means the originator of such deployment/activities can be either from the EU or outside EU.
- (In legal language) the scope of applicability is broad enough to cover both entities and individuals in EU/ outside EU who are deploying, providing, placing, distributing, manufacturing AI systems within the EU. This will include entities having a place of establishment in the EU or outside EU.
- Example has been aptly provided by the Hindu Business Line: if an Indian company develops a platform which deploys AI to make decisions about applications for financial products that are offered by, and/or to, EU entities—such as credit scoring applications which may be categorised as ‘high risk’—the AI Act will apply even if the Indian company does not have an established presence in the EU. As a result, non-EU producers/developers/providers of AI systems will need to account for compliance risks, especially in light of the high penalties involved—much like in the GDPR regime.
Let’s look at the list provided under the Act:
- Providers placing/putting into service AI models in the EU – can be from EU or other countries, for instance: Google will be a provider for its AI systems (developed + ownership + tradename)
- Deployers having ‘place of establishment’ or who are located w/the EU (If Amazon uses Googles AI systems, it will be a deployer)
- Providers and deployers from countries outside EU (such as India) where the output produced by system is used in EU
- Importers, distributors of AI systems
- Product manufacturers
- Authorized rep of providers which are not established in the EU
- Affected persons located in the EU
How does it affect India based entities, startups?
As discussed above, any India based company
a) providing or deploying AI models, systems in EU; or
b) having a place of establishment in EU; or
c) if AI model’s output is used in EU
are automatically covered.
From a policy perspective, similar to the GDPR, any policy widely adopted in the EU becomes a global standard of compliance (refer Brussels Effect). We have seen data privacy legislation modelled after GDPR, hence we can expect AI policy updates from other major economies soon (including India).
How do I check the applicability of the EU Act?
Firstly, do refer to Article 2 & Article 3 of the Act to see if the Act applies to you. If yes, here’s an excellent compliance checker to see your compliances under the Act. Some overlapping compliances with GDPR may already be covered and need only be updated.
References:
EU AI Act, a high level explainer
artificialintelligenceact.eu is an excellent resource in general
Wiley Law Firm ‘s article here
WhiteSight has released an informative deck here
Disclaimer: The views expressed are personal opinion of the author and in no way constitute legal or financial advice.
