Mar 14 / Punit Bhatia

EU AI Act: Five Things You Need To Know

The EU AI Act is a risk-based regulatory framework. Artificial Intelligence (AI) systems are classified into four risk categories:

unacceptable risk,
high risk,
limited risk, and
minimal risk.

This classification dictates the level of regulatory scrutiny and compliance requirements that an AI system will be subjected to. Of course, the high-risk applications face the most stringent controls. This approach allows for flexibility and innovation (especially in lower-risk AI applications) while ensuring that those posing significant risks to safety and fundamental rights are adequately regulated.

Make no mistake, that the development and deployment of AI systems that can pose unacceptable risk shall be prohibited as per this law. These include AI systems that deploy subliminal techniques to manipulate persons to their detriment, exploit vulnerabilities of specific groups, conduct social scoring, or use real-time biometric identification in public spaces for law enforcement, with certain exceptions.

Tip: Evaluate the risk posed by your AI systems to ensure that your products comply with the EU's standards.

While systems that have the potential to violate rights or pose significant risks to individuals' safety are considered to pose unacceptable risk and will be prohibited, the systems that will create high risk will be subject to all requirements from this regulation. These requirements include data governance, transparency, and explain ability i.e., provision of clear information to users; robustness and accuracy; human oversight; and specific documentation requirements such as logging, adopting extensive testing methodologies and record-keeping to enable traceability.

Tip: Businesses operating or aiming to launch AI solutions that may pose high risk must prepare to meet all these obligations.

For AI applications that may not be classified as high-risk, particularly those interacting directly with consumers (like chatbots), must adhere to transparency requirements. This includes providing users with information that an AI system is being used, ensuring that users are aware of their interaction with an AI and not a human. This transparency is vital for maintaining trust and integrity in AI systems across all sectors.

Tip: Businesses are recommended to implement transparency requirements into all AI systems irrespective of the risk.

Like the EU GDPR, the EU AI Act will also be enforced rigorously. There are significant penalties for non-compliance. Depending on the violation, fines can go up to €30 million or 6% of the total worldwide annual turnover of the preceding financial year, whichever is higher. This strict enforcement underlines the EU's commitment to ethical AI development and usage. It also signals the importance of compliance for all AI stakeholders.

Tip: We recommend you as a company to start now. And, we can help you.

In my opinion, the EU AI Act is a landmark regulation that will shape the future of AI development and usage not only within the European Union but also globally, as businesses and organizations worldwide will need to comply with these regulations to operate in the EU market. I believe many countries will now go for similar regulations. So, as business you need to start strengthening your risk management, data governance, transparency, testing and logging capabilities to name a few.

While it creates work for companies, I am convinced that this will contribute to a safer, more ethical AI landscape that is good for us humans.

Need help with EU AI Act compliance?

Punit Bhatia is one of the leading privacy experts who works independently and has worked with professionals in over 30 countries. Punit works with business and privacy leaders to create an organization culture with high AI & privacy awareness and compliance as a business priority by creating and implementing a AI & privacy strategy and policy.

Punit is the author of books “Be Ready for GDPR” which was rated as the best GDPR Book, “AI & Privacy – How to Find Balance”, “Intro To GDPR”, and “Be an Effective DPO”. Punit is a global speaker who has spoken at over 50 global events. Punit is the creator and host of the FIT4PRIVACY Podcast. This podcast has been featured amongst top GDPR and privacy podcasts.

As a person, Punit is an avid thinker and believes in thinking, believing, and acting in line with one’s value to have joy in life. He has developed the philosophy named ‘ABC for joy of life’ which passionately shares. Punit is based out of Belgium, the heart of Europe.

For more information, please click here.

Stay connected with the views of leading data privacy professionals and business leaders in today's world on a broad range of topics like setting global privacy programs for private sector companies, role of Data Protection Officer (DPO), EU Representative role, Data Protection Impact Assessments (DPIA), Records of Processing Activity (ROPA), security of personal information, data security, personal security, privacy and security overlaps, prevention of personal data breaches, reporting a data breach, securing data transfers, privacy shield invalidation, new Standard Contractual Clauses (SCCs), guidelines from European Commission and other bodies like European Data Protection Board (EDPB), implementing regulations and laws (like EU General Data Protection Regulation or GDPR, California's Consumer Privacy Act or CCPA, Canada's Personal Information Protection and Electronic Documents Act or PIPEDA, China's Personal Information Protection Law or PIPL, India's Personal Data Protection Bill or PDPB), different types of solutions, even new laws and legal framework(s) to comply with a privacy law and much more.