The proposed regulation on artificial intelligence

Posted Nov 29, 2022 10:21 AM

AI, long the subject of fantasies, is far from being a new technology. However, its use is becoming more and more democratized within companies (notably via software based on AI) and benefits from the constant improvement in the computing power of computers.
Based on the observation of the central and growing place of this technology in all aspects of citizens’ lives, the European Commission has decided to promote “trustworthy” AI. (2)
It is with this in mind that on April 21, 2021, the European Commission published the proposal for a regulation on artificial intelligence, commonly known as the “AI-Act”.(3) Although the text is not yet final – the phase trialogues are still in progress – it is already considered to be structuring for companies. It is indeed to be expected that its impact will be comparable to that – in its time – of the General Data Protection Regulation (GDPR).

The European Commission’s proposal is the result of a long process of reflection and consultation. This began in 2018 with the creation of a high-level expert group (AI HLEG – “AI High Level Expert Group”). Driven by its desire to gather the opinions of stakeholders in order to create a regulatory framework adapted to the AI ​​market, the European Commission submitted some of this work to a public consultation.(4)

The text is also based on the principles identified by the European Union in its global digital strategy (5), in particular the need to put technology (in this case AI) at the service of people.

The approach adopted by the European Commission on this text is interesting in several respects.

First of all, the regulation aims not to be a brake but a tool for promoting European competitiveness on the international AI market. The Commission has thus indicated that a “balanced and proportionate horizontal regulatory approach which is limited to minimum requirements” has been made necessary in order to “respond to the risks and problems associated with AI without unduly restricting or hampering technological development or increasing disproportionately the costs of bringing an AI solution to market”.

The project thus provides for the implementation of numerous initiatives in support of AI (in particular regulatory “sandboxes” aimed at reducing the regulatory burden on SMEs and start-ups).

The European Commission has also taken the side of technological neutrality. The provisions and rules established by the text are determined according to the purpose of the AI ​​system and not the underlying technology used or the sector in which the system is used. Whether the AI ​​system is used in the banking, automotive or luxury sector, its classification is made according to the risks that the system may present for the health, safety, fundamental rights, etc., of people ( risk approach). By opting for horizontal regulation, the Commission seeks to ensure that the text is long-lasting and dynamic, without the technological developments that we will experience in the future having any impact on its effectiveness.

Finally, one of the assumed objectives of the European Commission is to give the text the same international scope as the GDPR. The proposed regulation therefore has an extraterritorial scope of application. The text thus impacts all the players in the marketing chain of an AI system, from the supplier to the user, including, where applicable, the distributor and/or the importer.

However, the Commission’s proposal is the subject of much criticism. The most widespread has to do with the excessively broad nature of the scope of the text and in particular of the definition of the AI ​​system. It is not limited to the commonly accepted acceptance of AI and therefore to self-learning systems (“Machine-Learning”). Among the qualification criteria of the AI, the statistical and logical approaches of the system can also be retained to carry the application of the text. However, these approaches correspond to the vast majority of software. It would then not be a question of regulating the use of AI but of software.

Also, the relationship between the proposed regulation and other existing European and national texts (in particular the GDPR) or to come will certainly be delicate.

The challenge of compliance for companies

It is possible here to make an interesting parallel with the GDPR as the process of compliance and maintenance of it will be comparable. As with the GDPR, this compliance will require the mobilization of different business lines (legal, technical, security, purchasing, compliance, etc.).

It will not be a one-off exercise for companies, but the establishment of a virtuous and evolving system because the obligations follow the actors throughout the life cycle of the AI ​​system (from its design to its placing on the market as well as the monitoring of its operation).

In order to minimize the costs generated by such projects, it is recommended that companies start looking into the provisions of the text as of now, even though they may change. Indeed, as has been observed with the GDPR, the later the compliance, the more it can be costly in terms of human, organizational and technical resources.

Without starting to implement the obligations incumbent on the players, it would be particularly useful to focus initially on mapping the AI ​​systems within each entity in order to identify which software and solutions would potentially be affected by the text. .(6)

Finally, while potential changes to the proposal are expected during the trialogues, its general principles have been established and will remain stable: the ethical nature of the algorithms (through the absence of bias with potentially dangerous consequences for the individuals concerned), governance and data quality in test and production environments, the possibility of documenting compliance actions, computer traceability of systems (logging of logs), etc. A reflection can therefore already be carried out in order to integrate these principles “by design” in projects based on AI systems.

The issue of compliance for companies is also of course the assessment of the risk of non-compliance. The penalties provided for by the text are dissuasive (the highest amount between a maximum of 30 million euros or 6% of the total annual turnover achieved by a company during its previous financial year). Such amounts should contribute to creating the same level of emotion as that experienced with the GDPR.

Beyond the uncertainties that remain to this day, the adoption of the text will undoubtedly constitute a major turning point in the regulatory environment for technological assets, contributing to the growing regulation of IT activities.

By : Stéphane Lemarchand (Partner lawyer in IPT), Jeanne Dauzier (Counsel lawyer in IPT) and Maria Aouad (lawyer in IPT)

(1) “Artificial Intelligence Market Size, Share and Trend Analysis Report by Solution, by Technology (Deep Learning, Machine Learning, Natural Language Processing, Machine Vision), by End Use, by Region and Segment Forecast, 2022-2030,”

(2) White Paper on Artificial Intelligence, “A European approach focused on excellence and trust”, European Commission, 19 February 2020 (COM(2020) 65 final).

(3) Proposal for a Regulation of the European Parliament and of the Council laying down harmonized rules on artificial intelligence (Artificial Intelligence Law) and amending certain acts of Union legislation European Commission, 21 April 2021 (2021/0106(COD )).

(4) Note. the white paper on artificial intelligence, v. Supra.

(5) Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, “Shaping Europe’s digital future”, European Commission, 19 February 2020 (COM(2020) 67 final).

(6) Self-assessment guide for artificial intelligence (AI) systems from the CNIL (; CapAI project created by the universities of Oxford and Bologna (“A Procedure for Conducting Conformity Assessment of AI Systems in Line with the EU Artificial Intelligence Act”)

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *