The EU's AI Act: Good regulation, bad regulation or somewhere in between?

History is littered with knee-jerk legislation, enacted with good intentions and often in response to genuine public fear. If you have ever traveled to the USA, you may be familiar with the I-94W Nonimmigrant Visa Waiver form that must be completed before entry. Among a number of questions asked, one is ‘Have you ever been or are you now involved in espionage or sabotage; or in terrorist activities -- Yes or No’. I’m sure many have often wondered whether those actually involved in such activities would be inclined to tick the ‘Yes’ box. This example effectively illustrates the challenges that all regulators and legislators should ask themselves at the outset, namely:

Are we doing this to address the problem or is it just a knee-jerk reaction to placate journalists and voters? (Remember that line from BBC political comedy Yes Minister -- “He’s suffering from Politician’s Logic. Something must be done, this is something, therefore we must do it.”)

How easy will it be to comply with these regulations?

How easy will it be to enforce them?

There is an increasing feeling that the regulators behind the EU’s AI Act should perhaps not be patting themselves on the head for being first out of the regulatory gate if their aim of protecting the public is outweighed by the damage inflicted because they end up strangling Europe’s AI industry at birth. Consequently, there has been vocal pushback from industry in the EU, particularly from companies and innovators in France and Germany who fear being eclipsed by the US and China globally and by the UK in Europe. Emmanuel Macron observed that there is not much point in being the leading regulator of an industry you don’t actually operate in.

Applying the three questions above, the Act may not be entirely fit for purpose because:

• Regulating AI means trying to hit a swiftly moving target. Its exponential evolution means that regulations drafted now could be completely left behind by what they are trying to rein in long before they come into force.
• The Act’s proposed definition of “artificial intelligence” is so broad that many of the technologies used by or developed for businesses will be caught, probably many more than need be given the risks the Act is meant to mitigate.
• The Act imposes a risk categorization system that could leave many innovators scratching their heads as to which category they fall into.
• It imposes a range of compliance requirements which will have to be met during design, implementation and commercial roll-out. This will be expensive and time consuming, a particular problem for start-ups.
• Compliance will be monitored and enforced by regulatory bodies in each Member State which have yet to be established. Can people with the requisite expertise be recruited? How consistent will these bodies’ approaches be?

Few relish the prospect of a Wild West, regulation-free environment, but the European Commission should perhaps be mindful of what happened with GDPR:

• Many low risk and even trivial activities were caught, making compliance not worth the trouble.
• Many companies ended up in breach because they just didn’t understand the regulations and couldn’t afford to hire the expertise required to guarantee compliance.
• Others chose to ignore the regulations and hoped they wouldn’t get found out. Most weren’t. Hefty fines were dished out to egregious culprits but they were big enough and wealthy enough to take it on the chin.
• Some companies decided it was safest not to sell or supply into the EU. If that happens to the EU with AI, the EU will be the loser.

No one wants to see the world become a dystopian technocratic police state because AI has permeated every walk of life unobserved and unfettered but we shouldn’t want to see the AI Act become GDPR 2.0 either, especially if more balanced and practical frameworks are brought in elsewhere. Until then, it looks like tech companies in the sector and their advisors are currently facing a re-run of the introduction of GDPR.

Image credit: phonlamai/depositphotos.com

Simon Portman is Of Counsel, and Mike Williams is Partner, at Marks & Clerk.