In the constantly evolving world of technology, few innovations have captivated the public’s imagination — and roused their anxieties — quite like artificial intelligence (AI). It’s a realm of paradoxes and contradictions, where the miraculous promise of a technologically enhanced future meets the chilling threat of its potential perils. On one hand, we see the prospect of streamlined services, unprecedented scientific discoveries, and problem-solving prowess that dwarfs our own. Yet, on the other, we’re compelled to grapple with the spectre of job displacement, infringed privacy, and the daunting prospect of ceding control to machines. The burgeoning landscape of AI challenges us to reconcile this enthralling potential with its inherent risks, to shape an inclusive future where innovation thrives without compromising our core human values.
It is no surprise then, that the issue of AI Regulation has received so much attention in recent months with the widespread use of new AI technologies such as ChatGPT, Amazon’s Alexa, Virtual Assistants and more. In this regard, the first major breakthrough is emerging in Europe where after months of deliberations, the European Parliament finally agreed and passed the text of its version of the Proposed Artificial Intelligence (AI) Act on 14 June 2023.
The European Parliament has confirmed its stance on the AI Act, having secured 499 supporting votes, opposed by 28, with 93 deciding to abstain. The purpose of this legislation is to guarantee that AI systems, both developed and utilized within Europe, conform to EU rights and values. These encompass principles such as human supervision, safety, privacy, transparency, impartiality, and the promotion of social and environmental welfare.
It must be stressed that the European Parliament’s agreement on the text of the Proposed AI Act is merely a step in what is still an involved process before the EU is able to deliver its long-promised AI Act. The EU Council of Ministers and the European Commission still need to have their say.
In this month’s feature article, we aim to provide clarity by explaining 1. the broad term AI; 2. the relationship between AI and personal data; 3. the nature of the proposed AI Act; 4 the next steps from here.
The definition of an AI System is given in Article 3 (1) of the European Parliament’s adopted text of the Proposed AI Act:
‘‘’artificial intelligence system’ (AI system) means a machine-based system that is designed to operate with varying levels of autonomy and that can, for explicit or implicit objectives, generate outputs such as predictions, recommendations, or decisions, that influence physical or virtual environments”
Generally speaking, ‘Artificial Intelligence’ is a broad term used to describe a wide spectrum of technologies which do not follow pre-programmed instructions and effectively ‘learn for themselves’. This self-learning can be done by various means such as the application of an existing data set or by prioritising actions which intend to lead to the best outcomes and results. The operation within a ‘black box’ may be effective for a narrow and particular purpose, but the risk still exists as the tool does not have a higher level of assessment akin to human decision-making. AI does not have the capacity to understand whether a decision made is inherently or obviously right or wrong in a moral or ethical sense. From a data protection perspective, this is a cause for concern as the algorithm programmed to power the AI has the capacity to make decisions which may be in breach of the fairness in processing requirements under Article 5 (1) (a) of the GDPR. Moreover, Article 22 of the GDPR gives individuals the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
AI systems have the capacity to pose risks to data privacy due to their expansive collection and processing of information, and personal data oftentimes may fall within this bracket depending on the AI system itself. Where personal data is processed by an AI system in the EU, the data subject must be afforded equivalent protection of their personal data as is done by other legislative instruments like the GDPR and the EU Charter of Fundamental Rights.
Before the AI Act was first proposed in 2021, the European Commission’s High-Level Expert Group on AI (AI HLEG) provided a guiding set of principles for the use of AI. One of the AI HLEG’s outputs an Assessment List for Trustworthy Artificial Intelligence (ALTAI) considers the relationship between Data Privacy and Artificial Intelligence. It notes the questions that must be asked before the integration of AI into an organisation:
There are a number of risks that AI inherently poses to data protection surrounding Transparency and Accountability. As an AI system has the capacity to make decisions based on information that it has collected and processed, the outputs of these decisions may have an impact on a data subject. Thus, these AI systems must be classified and regulated prior to its deployment on the market in order to avoid litigious complications.
The Proposed AI Act will form part of the European Commission’s regulatory framework to govern the use of AI within the EU. The Commission stated that the Act intends to analyse and classify AI systems that can be used in different applications according to the risk they pose to users. This risk-based approach cements the consumer protection slant of the legislation. It should be noted that the Act is concerned with the implications of AI even where there is no use of personal data.
The Commission outlined a number of goals which the AI Act aims to achieve, namely:
The European Commission describes the AI Act as a risk-based legal instrument. Four levels of risk associated with AI have been identified. (I) At the highest level are ‘unacceptable risks’ which are prohibited. (II) Below this level are AI uses involving high risks, these are permitted when certain compliance obligations and assessments have been carried out. (III) Thereafter, certain AI uses with mandatory transparency obligations are outlined. Importantly levels two and three are not exclusive as such certain activities may fall within the remit of both levels’ obligations. Finally, (IV) at level four are AI activities with minimal to no risk, which are permitted with no restrictions.
These are illustrated in Figure 1 below.
Figure 3. Risks According to Proposed AI Act
Where AI systems are deemed a threat to individuals, the system will be prohibited outright from operating in the EU. Some examples of such systems include:
AI systems that are considered to be High Risk are those that affect the safety or fundamental rights of the individual. These systems require an assessment of safety before they are permitted to be deployed on the EU market and are also subject to assessment throughout their life cycle on the market.
High-Risk AI systems can be subdivided into 2 categories:
The European Parliament agreed text for the proposed AI Act also introduced a tiered approach for AI models that do not have a specific purpose, what is otherwise known as “General Purpose AI”. This tiered approach applies a stricter regime for so-called, “foundation models” – large language models on which other AI systems can be built, such as OpenAI’s well-known ChatGPT product. Additionally, AI systems that can be used to generate new content are subject to compliance with transparency requirements. Some of these requirements include:
AI systems classified as Low Risk are obliged to follow minimal transparency obligations. These obligations aim to enable the user to make informed decisions by making users aware that they are interacting with AI, enabling them to decide whether or not to use the system and governing how they interact with the AI system should they wish to continue using it.
The Members of the European Parliament are set to embark on discussions with the EU Council of Ministers (which represents the governments of EU Member States) and the European Commission in “trialogue” negotiations. The intensity of these negotiations is anticipated to heighten as Spain assumes the rotating presidency of the Council in July. Madrid is committed to concluding the AI legislation, marking it as its premier digital objective.
The primary disputes are likely to revolve around high-risk categories, fundamental rights, and rules around “foundational” models like ChapGPT. Conversely, matters pertaining to governance, innovation, and the definition of AI are expected to be resolved at a technical level.
The first active trialogue is scheduled to take place before the Spanish parliamentary elections. The Spanish delegates are determined to broker an agreement by November through three trialogues, with an additional two planned as a contingency.
Pembroke Privacy will be following all developments in this domain and updating our clients as more information is available.
If you would like to learn more about the AI Act, we recommend looking at two resources:
Cookie | Duration | Description |
---|---|---|
__stripe_mid | 1 year | Stripe sets this cookie cookie to process payments. |
__stripe_sid | 30 minutes | Stripe sets this cookie cookie to process payments. |
cookielawinfo-checkbox-advertisement | 1 year | Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category . |
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
CookieLawInfoConsent | 1 year | Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie. |
elementor | never | This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time. |
JSESSIONID | session | The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application. |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
woocommerce_cart_hash | session | This cookie is set by WooCommerce. The cookie helps WooCommerce determine when cart contents/data changes. |
Cookie | Duration | Description |
---|---|---|
__cf_bm | 30 minutes | This cookie, set by Cloudflare, is used to support Cloudflare Bot Management. |
bcookie | 1 year | LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID. |
bscookie | 1 year | LinkedIn sets this cookie to store performed actions on the website. |
lang | session | LinkedIn sets this cookie to remember a user's language setting. |
lidc | 1 day | LinkedIn sets the lidc cookie to facilitate data center selection. |
wp_woocommerce_session_* | 2 days | WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one. |
Cookie | Duration | Description |
---|---|---|
_fbp | 3 months | Facebook sets this cookie to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising after visiting the website. |
_ga | 2 years | The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors. |
_ga_* | 1 year 1 month 4 days | Google Analytics sets this cookie to store and count page views. |
_ga_P2DEMKMP2R | 2 years | This cookie is installed by Google Analytics. |
_gcl_au | 3 months | Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services. |
CONSENT | 2 years | YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data. |
Cookie | Duration | Description |
---|---|---|
IDE | 1 year 24 days | Google DoubleClick IDE cookies store information about how the user uses the website to present them with relevant ads according to the user profile. |
test_cookie | 15 minutes | doubleclick.net sets this cookie to determine if the user's browser supports cookies. |
VISITOR_INFO1_LIVE | 6 months | YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface. |
YSC | session | Youtube sets this cookie to track the views of embedded videos on Youtube pages. |
Cookie | Duration | Description |
---|---|---|
_cfuvid | session | Description is currently not available. |
li_alerts | 1 year | Description is currently not available. |
li_gc | 5 months 27 days | No description |
m | 2 years | No description available. |
VISITOR_PRIVACY_METADATA | 6 months | Description is currently not available. |
wffn_ay_1e37cffd5ec47397c8db4ea354fb2b8c | session | Description is currently not available. |
wffn_ay_60788fe5afe63b445a1d2b0b73b53d6c | session | Description is currently not available. |
wffn_ay_6af562e4dfd92cb654c7e3eef4ba6e00 | session | Description is currently not available. |
wffn_ay_7062c098eb0ceb1d8a49d870c1452142 | session | Description is currently not available. |
wffn_ay_fd5c68771c3e033278c7df1cc9801288 | session | Description is currently not available. |
wffn_browser | 2 days | No description |
wffn_flt | 2 days | No description |
wffn_is_mobile | 2 days | No description |
wffn_referrer | 2 days | No description |
wffn_si | 1 day | No description |
wffn_timezone | 2 days | No description |
woocommerce_items_in_cart | session | No description available. |
wp_woocommerce_session_6914927dc2b54e4765bd5474dd9a15c5 | 2 days | No description |