Special thanks to Taft summer associate Tanner Wilburn for his significant contributions to this post.
On July 12, 2024, the European Union’s Artificial Intelligence Act (AI Act) was published in the EU Official Journal.
This comprehensive legislation establishes the first risk-based regulatory framework for AI systems, with far-reaching implications for businesses using AI. The AI Act is effective August 2, 2024, with the enforcement of the majority of its provisions commencing on August 2, 2026.
Overview
The AI Act employs a risk-based classification system that categorizes AI systems into four levels:
- Unacceptable risk. AI systems used in social scoring systems, exploitative AI targeting vulnerable groups, and real-time biometric identification in public spaces (with limited law enforcement exceptions). These AI systems are prohibited.
- High-risk. AI systems used in critical infrastructure, education, employment, and law enforcement, subject to stringent requirements for risk management, data quality, technical documentation, transparency, human oversight, accuracy, and security.
- Limited risk. AI systems used in chatbots and deepfakes, subject to lighter transparency obligations, requiring developers and deployers to ensure end-users are aware they are interacting with AI.
- Minimal risk. Unregulated AI, including most AI applications currently available on the EU single market, such as AI-enabled video games and spam filters.
The AI Act also introduces specific provisions for General Purpose AI (GPAI) models, often referred to as “foundation models.” All GPAI providers must maintain technical documentation and comply with EU copyright law. Those developing GPAI models that pose systemic risks face additional obligations, including model evaluation, risk assessment, and enhanced security measures. Notably, providers must also publish summaries of the content used to train these models.
Scope
The AI Act has a broad territorial scope. Similar to the GDPR, it applies not only to providers and deployers established in the EU, but also to those outside the EU whose AI systems or outputs are used within the EU. This extraterritorial reach means that companies worldwide may need to align their AI development and deployment practices with the Act’s requirements to operate in or sell to the EU market.
Oversight
The AI Act’s enforcement will be primarily handled by the newly established European AI Office. This body will have the authority to impose substantial fines for violations, with penalties reaching up to €35 million or 7% of global annual turnover for prohibited AI uses, and €15 million or 3% of global annual turnover for most other infractions. To ensure proper oversight and consistent application of the regulations across the EU, the AI Office will collaborate closely with the European Commission, the European Artificial Intelligence Board, and national authorities in each EU member state.
Regulatory Timeline
The implementation of the AI Act will occur in phases.
- August 2, 2024: The AI Act officially takes effect.
- February 2, 2025: Enforcement begins for general provisions, definitions, and rules on prohibited AI uses.
- August 2, 2025: Implementation of notification obligations, governance structures, rules on general-purpose AI models, confidentiality measures, and penalties (excluding those for GPAI models).
- August 2, 2026: The majority of the Act’s provisions become applicable.
- August 2, 2027: Enforcement commences for specific high-risk AI systems.
As the first comprehensive AI regulation, the AI Act is likely to influence AI governance approaches globally. Organizations utilizing AI in their businesses should closely monitor the AI Act’s implementation and begin preparing for compliance in advance of the applicable deadlines.
Taft’s Privacy & Data Security team and its Technology and Artificial Intelligence team has extensive experience counseling clients on consumer data privacy laws, data minimization strategies, and data governance program development. For more data privacy & security-related updates, please visit Taft’s Privacy & Data Security Insights blog and the Taft Privacy & Data Security Mobile Application.