What you need to know about the Artificial Intelligence Act

The Artificial Intelligence Act - What you Need to Know

Table of Contents


In the constantly evolving world of technology, few innovations have captivated the public’s imagination — and roused their anxieties — quite like artificial intelligence (AI). It’s a realm of paradoxes and contradictions, where the miraculous promise of a technologically enhanced future meets the chilling threat of its potential perils. On one hand, we see the prospect of streamlined services, unprecedented scientific discoveries, and problem-solving prowess that dwarfs our own. Yet, on the other, we’re compelled to grapple with the spectre of job displacement, infringed privacy, and the daunting prospect of ceding control to machines. The burgeoning landscape of AI challenges us to reconcile this enthralling potential with its inherent risks, to shape an inclusive future where innovation thrives without compromising our core human values.

It is no surprise then, that the issue of AI Regulation has received so much attention in recent months with the widespread use of new AI technologies such as ChatGPT, Amazon’s Alexa, Virtual Assistants and more. In this regard, the first major breakthrough is emerging in Europe where after months of deliberations, the European Parliament finally agreed and passed the text of its version of the Proposed Artificial Intelligence (AI) Act on 14 June 2023.

The European Parliament has confirmed its stance on the AI Act, having secured 499 supporting votes, opposed by 28, with 93 deciding to abstain. The purpose of this legislation is to guarantee that AI systems, both developed and utilized within Europe, conform to EU rights and values. These encompass principles such as human supervision, safety, privacy, transparency, impartiality, and the promotion of social and environmental welfare.

It must be stressed that the European Parliament’s agreement on the text of the Proposed AI Act is merely a step in what is still an involved process before the EU is able to deliver its long-promised AI Act. The EU Council of Ministers and the European Commission still need to have their say.

In this month’s feature article, we aim to provide clarity by explaining 1. the broad term AI; 2. the relationship between AI and personal data; 3. the nature of the proposed AI Act; 4 the next steps from here.

What do we mean by Artificial Intelligence?

The definition of an AI System is given in Article 3 (1) of the European Parliament’s adopted text of the Proposed AI Act:

‘’artificial intelligence system’ (AI system) means a machine-based system that is designed to operate with varying levels of autonomy and that can, for explicit or implicit objectives, generate outputs such as predictions, recommendations, or decisions, that influence physical or virtual environments”

Generally speaking, ‘Artificial Intelligence’ is a broad term used to describe a wide spectrum of technologies which do not follow pre-programmed instructions and effectively ‘learn for themselves’. This self-learning can be done by various means such as the application of an existing data set or by prioritising actions which intend to lead to the best outcomes and results. The operation within a ‘black box’ may be effective for a narrow and particular purpose, but the risk still exists as the tool does not have a higher level of assessment akin to human decision-making. AI does not have the capacity to understand whether a decision made is inherently or obviously right or wrong in a moral or ethical sense. From a data protection perspective, this is a cause for concern as the algorithm programmed to power the AI has the capacity to make decisions which may be in breach of the fairness in processing requirements under Article 5 (1) (a) of the GDPR. Moreover, Article 22 of the GDPR gives individuals the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

AI and Personal Data

AI systems have the capacity to pose risks to data privacy due to their expansive collection and processing of information, and personal data oftentimes may fall within this bracket depending on the AI system itself. Where personal data is processed by an AI system in the EU, the data subject must be afforded equivalent protection of their personal data as is done by other legislative instruments like the GDPR and the EU Charter of Fundamental Rights.

Before the AI Act was first proposed in 2021, the European Commission’s High-Level Expert Group on AI (AI HLEG) provided a guiding set of principles for the use of AI. One of the AI HLEG’s outputs an Assessment List for Trustworthy Artificial Intelligence (ALTAI) considers the relationship between Data Privacy and Artificial Intelligence. It notes the questions that must be asked before the integration of AI into an organisation:

    1. Does the AI system protect personal data relating to individuals in line with the GDPR?
    2. Have you put in place processes to assess in detail the need for a data protection impact assessment, including an assessment of the necessity and proportionality of the processing operations in relation to their purposes, with respect to the development, deployment and use phases of the AI system?
    3. Have you put in place measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data with respect to the development, deployment and use of phases of the AI system?



There are a number of risks that AI inherently poses to data protection surrounding Transparency and Accountability. As an AI system has the capacity to make decisions based on information that it has collected and processed, the outputs of these decisions may have an impact on a data subject. Thus, these AI systems must be classified and regulated prior to its deployment on the market in order to avoid litigious complications.

What is the AI Act?

The Proposed AI Act will form part of the European Commission’s regulatory framework to govern the use of AI within the EU. The Commission stated that the Act intends to analyse and classify AI systems that can be used in different applications according to the risk they pose to users. This risk-based approach cements the consumer protection slant of the legislation. It should be noted that the Act is concerned with the implications of AI even where there is no use of personal data.

The Commission outlined a number of goals which the AI Act aims to achieve, namely:

    • “ensure that AI systems placed on the [EU] market and used are safe and respect existing law on fundamental rights and [EU] values,”

    • “ensure legal certainty to facilitate investment and innovation in AI,”

    • “enhance governance and effective enforcement of existing law on fundamental rights and safety requirements applicable to AI systems,” and

    • “facilitate the development of a single market for lawful, safe and trustworthy AI applications and prevent market fragmentation.

A Risk Based Approach

The European Commission describes the AI Act as a risk-based legal instrument. Four levels of risk associated with AI have been identified. (I) At the highest level are ‘unacceptable risks’ which are prohibited. (II) Below this level are AI uses involving high risks, these are permitted when certain compliance obligations and assessments have been carried out. (III) Thereafter, certain AI uses with mandatory transparency obligations are outlined. Importantly levels two and three are not exclusive as such certain activities may fall within the remit of both levels’ obligations. Finally, (IV) at level four are AI activities with minimal to no risk, which are permitted with no restrictions.

These are illustrated in Figure 1 below.

Figure 3. Risks According to Proposed AI Act

Figure 3. Risks According to Proposed AI Act

Unacceptable Risk

Where AI systems are deemed a threat to individuals, the system will be prohibited outright from operating in the EU. Some examples of such systems include:

    • Cognitive behavioural manipulation of people or specific vulnerable groups: for example voice-activated toys that encourage dangerous behaviour in children

    • Social scoring: classifying people based on behaviour, socio-economic status or personal characteristics

    • Real-time and remote biometric identification systems, such as facial recognition

High Risk

AI systems that are considered to be High Risk are those that affect the safety or fundamental rights of the individual. These systems require an assessment of safety before they are permitted to be deployed on the EU market and are also subject to assessment throughout their life cycle on the market.

High-Risk AI systems can be subdivided into 2 categories:


  1. AI systems that are used in products falling under the EU’s product safety legislation.
    • This includes toys, aviation, cars, medical devices, and lifts.
  2. AI systems falling into 8 specific areas that will have to be registered in an EU database:
    • Biometric identification and categorisation of natural persons
    • Management and operation of critical infrastructure
    • Education and vocational training
    • Employment, worker management and access to self-employment
    • Access to and enjoyment of essential private services and public services and benefits
    • Law enforcement, migration, asylum and border control management
    • Assistance in legal interpretation and application of the law.

Generative AI

The European Parliament agreed text for the proposed AI Act also introduced a tiered approach for AI models that do not have a specific purpose, what is otherwise known as “General Purpose AI”. This tiered approach applies a stricter regime for so-called, “foundation models” – large language models on which other AI systems can be built, such as OpenAI’s well-known ChatGPT product. Additionally, AI systems that can be used to generate new content are subject to compliance with transparency requirements. Some of these requirements include:

    • Disclosing that the content was generated by AI

    • Designing the model to prevent it from generating illegal content

    • Publishing summaries of copyrighted data used for training

Low Risk

AI systems classified as Low Risk are obliged to follow minimal transparency obligations. These obligations aim to enable the user to make informed decisions by making users aware that they are interacting with AI, enabling them to decide whether or not to use the system and governing how they interact with the AI system should they wish to continue using it.

What happens next?

The Members of the European Parliament are set to embark on discussions with the EU Council of Ministers (which represents the governments of EU Member States) and the European Commission in “trialogue” negotiations. The intensity of these negotiations is anticipated to heighten as Spain assumes the rotating presidency of the Council in July. Madrid is committed to concluding the AI legislation, marking it as its premier digital objective.

The primary disputes are likely to revolve around high-risk categories, fundamental rights, and rules around “foundational” models like ChapGPT. Conversely, matters pertaining to governance, innovation, and the definition of AI are expected to be resolved at a technical level.

The first active trialogue is scheduled to take place before the Spanish parliamentary elections. The Spanish delegates are determined to broker an agreement by November through three trialogues, with an additional two planned as a contingency.

Where can I learn more?

Pembroke Privacy will be following all developments in this domain and updating our clients as more information is available.

If you would like to learn more about the AI Act, we recommend looking at two resources:

    1. Euractiv have played a leading role in monitoring the progress of negotiations around the AI Act https://www.euractiv.com/sections/artificial-intelligence/
    2. While the Future of Life Institute provide a highly informative newsletter on a fortnightly basis. You can sign up here (https://artificialintelligenceact.substack.com/)



Send an enquiry

Newsletter Subscribe

Contact Details

Get in touch