AI regulation tracker: UK and EU take divergent approaches to AI regulation

On 21 April 2021, the European Commission introduced its proposal for a regulation laying down harmonised rules on AI throughout the European Union (the “AI Act”). Its status as a regulation means that, once finalised and in force, the AI Act will apply directly in each of the 27 EU member state countries.

The AI Act will apply to:

• providers placing on the market or putting into service AI systems in the EU, irrespective of where those providers are established;
• users of AI systems located in the EU; and
• providers and users of AI systems that are located in a third country, where the output of the system is used in the EU.

The AI Act will therefore have a broad extra-territorial reach and will need to be considered by providers and users of AI systems globally.

A “risk based” approach to regulating AI

The AI Act takes a “risk based” approach, classifying AI systems according to separate tiers:

• prohibited;
• high-risk;
• limited risk;
• all other systems (in effect, minimal risk).

The rules applicable to AI systems will vary depending on whether they fall into specific tiers or not.

1. Prohibited (including AI systems using techniques to manipulate individuals and cause harm):

The European Commission describes these types of AI systems as posing “a clear threat to the safety, livelihoods and rights of people”. As originally drafted, Article 5 imposed bans on systems that use subliminal techniques to materially distort users’ behaviour in harmful ways; exploit the vulnerabilities of specific groups; allow for “social scoring” by governments, or use biometric identification in public spaces for law enforcement purposes (subject to narrowly defined exceptions).

A later draft of the AI Act, released by joint committees of the European Parliament (“EP”) on 9 May 2023, proposes some significant changes, illustrating that it is still too early to assess the impact of the finalised AI Act with certainty. For instance, to fall within the prohibited tier, the EP proposes that an AI system must have the objective or the effect of “materially distorting a person’s or a group of persons’ behaviour by appreciably impairing the person’s ability to make an informed decision, thereby causing the person to take a decision they would not have taken otherwise in a manner that causes or is likely to cause that person, another person or group of persons significant harm”.

The EP’s proposals also ban the use of “real time” biometric identification systems in public places (meaning these systems can only be used by law enforcement “post” an incident, and only where subject to pre-judicial authorisation and in connection with serious crimes).

The scope of “prohibited” systems is further expanded by the EP’s proposals to include those used for predictive policing; the scraping of facial images to broaden facial recognition databases; and inferring emotions in the areas of law enforcement, border management, the workplace and education institutions.

2. High risk (i.e. systems subject to additional safeguards, including human oversight):

These systems include those used for:

• biometric identification and classification of natural persons;
• management or operation of critical infrastructure;
• education and vocational training,
• employment and worker management; and
• access to and enjoyment of essential public and private services (including creditworthiness and credit scoring).

These systems will be subject to strict additional obligations, such as the need to undergo a “conformity assessment”, a prior registration regime, adequate risk management and mitigation systems and ensuring appropriate human oversight. Requirements differ depending on whether the high risk AI is embedded as part of a wider system (e.g. in a medical device) or free standing.

In its 9 May draft, the European Parliament has proposed limiting the classification of “high-risk” systems to those posing a “significant risk” to the health, safety or fundamental rights of persons (different rules apply for safety components).

3. Limited risk:

Certain AI systems that are not “high risk” but interact with and/or could manipulate human behaviour, such as chat bots or emotion recognition systems, will be subject to specific transparency obligations, e.g. users must be made aware that they are interacting with a machine.

4. All other AI systems (low risk):

These are systems posing a minimal risk to users’ rights or safety, such as AI enabled spam filters. No specific requirements are proposed here in the original text.

5. Foundation models:

The EP’s 9 May draft introduces additional obligations in respect of “foundation models”.  A foundation model is defined as “an AI model that is trained on broad data at scale, is designed for generality of output, and can be adapted to a wide range of distinctive tasks”. These proposals are in response to the popularity of foundation models such as GPT, on which ChatGPT is based.

What are the possible fines?

Fines are proposed on a sliding scale, with the most serious contraventions (including breaches of obligations applicable to prohibited and high-risk systems) carrying fines of up to:

• EUR 30 million; or
• 6% of total worldwide annual turnover for the preceding financial year (whichever is higher).

In its 9 May proposal, the EP proposed increasing fines to the higher of EUR 40 million or 7% of total worldwide annual turnover.

When will the AI Act come into effect?

The European Council published its “general position” in December 2022, which contained numerous changes to the text of the draft legislation. The EP adopted its negotiating position on 14 June 2023, meaning the “trilogue” stage can now commence. During the trilogue, the Council and the EP negotiate to reach agreement on proposed changes to the text.

Once the EU’s ordinary legislative procedure is complete (expected to take months), the AI Act is set to apply following a 24 month transition period. As a result, the AI Act appears unlikely to apply until 2025, at the earliest.

Initially proposed by the European Commission on 28 September 2022, the draft AI liability directive (the “AI Liability Directive”) aims to modernise the EU liability framework by introducing rules specific to damages caused by AI systems. The AI Liability Directive is complementary to the EU’s draft AI regulation (the “AI Act”). The EU product liability regime is also being updated in parallel.

Presumption of causality

The AI Liability Directive lays down a rebuttable presumption of causality, establishing a causal link between non-compliance with a duty of care under Union or national law (i.e. the fault) and either (a) the output produced by the AI system, or (b) the failure of the AI system to produce an output, that gave rise to the relevant damage. The presumption would only apply where the following conditions are satisfied:

• the claimant demonstrates that non-compliance with a certain EU or national obligation relevant to the harm of the AI system caused the damage (which might include failure to comply with a provision of the AI Act);
• it is reasonably likely that, based on the circumstances of the case, the defendant’s negligent conduct influenced the output produced by the AI system or the AI system’s inability to produce an output that gave rise to the relevant damage; and
• the claimant demonstrates that the output produced by the AI system, or the AI system’s inability to produce an output, gave rise to the damage.

The presumption will also depend on whether the AI system is “high-risk” or not. Different rules will apply in either case. A defendant will be able to rebut the presumption of causality, for instance by proving that their fault could not have been responsible for the relevant damage.

Disclosure of evidence

The AI Liability Directive would also provide EU member states’ national courts with the power to order disclosure of evidence concerning high-risk AI systems under certain circumstances.

When will the AI Liability Directive come into effect?

It is difficult to predict the timing at present; once the Directive is in force the draft text allows a further two years for EU Member States to transpose the final requirements into national law.

The UK Government’s Department for Science, Innovation and Technology (“DSIT”) is consulting on its white paper published on 29 March 2023 (the “AI White Paper”) until 21 June 2023. The proposals represent a light-touch approach consistent with the UK’s National AI Strategy published in September 2022.  Legislation is not currently being proposed, which is in stark contrast with the approach being taken in the EU.

The AI White Paper proposes a flexible definition of AI systems, based on their inherent adaptability and autonomy characteristics. It also suggests a principles-based framework for existing regulators to interpret and apply to AI within their remits.  Regulators would also be expected to issue guidance on how the principles interact with existing legislation, in order to support compliance in their sectors. This reflects the UK Government’s view that AI is a general purpose technology, likely to cut across numerous regulatory remits (suggesting that cooperation between regulators is likely to be fundamental).

The five cross-sectoral principles to be applied by regulators are:

1. safety, security and robustness;
2. appropriate transparency and explainability;
3. fairness;
4. accountability and governance; and
5. contestability and redress.

Initially, the principles will not be placed on a statutory footing.  Legislation may be passed in the future to impose a duty on regulators to have due regard to the principles, if it is found that they are not being applied appropriately. AI assurance techniques and technical standards are also intended to play a major role.

The AI White Paper does not seek to allocate liability for harm caused by AI. This issue will be left to existing legal frameworks and monitored further; however, future legislative intervention is not ruled out.