On 22 January, journalist Luca Bertuzzi leaked a final draft of the EU’s long-awaited AI Act. While the EU’s institutions reached a broad agreement on the AI Act late last year, some technical details remained to be ironed out. The leaked draft of the AI Act is not absolutely final, but it includes almost everything that will appear in the EU’s Official Journal once the law has been formally adopted.

AI Act basics

Many details have changed since the AI Act was first proposed by the European Commission in 2021. However, the structure and main principles of the law have survived. Here’s an overview of the AI Act’s basic features.

  • Scope: The AI Act covers AI systems that are “placed on the market”, “put into service”, or “used” in the EU, which covers the importing and distribution of AI systems.
  • Prohibited AI practices: Some uses of AI are banned outright, such as “social scoring”, using AI to exploit vulnerable people, or using “subliminal techniques” to manipulate people.
  • High-risk AI systems: Certain types of AI systems are prohibited in certain contexts or require additional safeguards prior to their use.
  • Enforcement: The AI Act will be enforced by national authorities, with fines reaching a maximum of €35 million, or 7% of global turnover.

The AI Act’s near final draft

After a long series of negotiations between the EU’s institutions, the leaked version of the AI Act reveals how some of the law’s sticking points have been resolved. For example:

  • New high-risk use cases: The leaked draft includes some new high-risk AI systems, including AI systems used to set the price of health and life insurance policies.
  • Bias mitigation: Providers of AI systems must put technical measures in place to detect, prevent, and mitigate bias.
  • Contractual clauses: Providers of high-risk AI systems must enter into contracts with suppliers. The AI Office (which will sit within the Commission) may develop model contractual clauses for these purposes.
  • General Purpose AI (GPAI): The AI Act provides a specific regulatory framework for GPAI systems (which self-supervise during training and can be used across a variety of contexts) with “systemic risks” with some exemptions for free and open-source models.

While this latest version of the AI Act is still technically a draft with some outstanding issues, remaining, it reveals how some long-standing disagreements have been resolved.

Preparing for AI regulation

The AI Act will not take effect for several years, but it significantly impacts how many companies use and develop AI. HewardMills can help your organisation prepare for the implementation of the AI Act and meet your AI-related obligations under existing law.

If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at dpo@hewardmills.com.