On 12 July 2024, new legislation on artificial intelligence (Artificial Intelligence Act, “AI Act”) was published in the Official Journal of the European Union. The AI Act was designed to apply primarily to business entities using artificial intelligence (AI) and aims to establish a regulatory framework for its use while ensuring appropriate supervision.
To comply with the new regulations, business entities will have from 6 months to 3 years, depending on how AI is used within their organisation. Failure to comply with the regulations may result in substantial fines.
A potential response to the new regulations could be a compliance check and the introduction of internal guidelines that establish rules for working with artificial intelligence within the organisation. The use of AI-powered tools requires ensuring that these solutions are used by the company’s staff in a secure and responsible manner, and that the system meets the regulatory standards and will continue to do so in the future.
1. Will the regulations apply to your company?
The AI Act applies primarily to providers of AI systems (entities making their AI systems available to other entities, e.g. OpenAI) and deployers of AI systems (entities using AI technology across various sectors but do not control AI, e.g. an entity using AI for decision-making processes).
Business entities will be required to inform natural persons (employees,
clients, clients’ employees) that they are interacting with AI, explain the purposes of data processing by AI, and disclose that the data may potentially be shared with AI system providers. Regular risk assessments and ensuring compliance with the legal provisions will also be required.
The AI Act may apply to your organisation if:
-
- AI is used for marketing (creating advertising texts, images, videos, advertising customer profiling).
- AI is used for process automation (planning of timetables, minimising costs, testing software).
- AI is used as an element of a product (AI as a Service, AI in the Internet of things/smarthome).
2. Obligations under the AI Act
- The first step of preparing to meet these requirements will require mapping AI-powered systems and tools.
- The next step will be assessing these systems and tools in terms of the criteria set forth under the AI Act.
The result of this assessment will often determine whether it is necessary to put procedures and technical measures in place to continuously monitor the compliance with the AI Act and privacy protection regulations.
These obligations may include:
1Risk identification and assessment: business entities must verify whether the IA systems that they use, including new tools, fall within the high-risk category. High-risk systems are used, for instance, across such areas as health, education, employment, critical infrastructure, law enforcement, etc.
2Transparency and information disclosure to users: business entities must ensure that AI systems intended to interact with natural persons are designed and developed in such a way that these natural persons are informed about such interaction unless it is clear from the circumstances and context of the system’s use.
3Data security and protection: business entities must ensure that AI systems are secure and comply with the data protection regulations (GDPR).
4Monitoring and audit: business entities using high-risk AI systems should monitor their operation and audit them regularly to ensure the compliance with the AI Act.
5Cooperation with providers: if a business entity uses AI systems provided by external providers, it should cooperate with them to ensure that the systems comply with the AI Act.
6Training and awareness: business entities should ensure training for their employees on using AI systems and managing risks associated with such use.
3. Key clauses to include in internal AI usage terms and conditions
1Use of technology partners’ services: most of AI-powered products are based on models developed by other companies. It is important to inform users that their data may be shared with entities devising these models.
2IP rights the issue of ownership of AI-generated content and terms on which users may claim ownership or use rights should be clarified (Recital 28 AI Act).
3Data privacy and security: it is important to explain how user data are collected, used and protected. It is essential. given the sensitive nature of data processed by AI systems (Recital 28 AI Act).
4Limitation of liability: the rules of the company’s liability related to an AI product should be determined, in particular in scenarios where an AI result causes indirect or unintended consequences (this issue will soon be governed under the AILD).
5AI disclaimers: it is crucial to include a disclaimer stating that AI-generated content may not be accurate and that the company is unable to verify its accuracy. This disclaimer should be prominently displayed in the product interface (Recital 49 AI Act).
6“Be a good human” clause: as it is difficult to control how users can misuse AI, this clause notifies users that if they use AI contrary to the permitted use, their account may be suspended or terminated (Recital 58 AI Act).
7Restriction on sharing and publishing AI-generated content: There should be an explicit restriction prohibiting users from using AI-generated content in violation of the terms and conditions (usage regulations). Users should bear full responsibility for the content they publish (Article 52 AI Act).
4. What if you do not comply with the AI Act?
Sanctions for violating the AI Act will be governed under national legislation, however, the Act outlines their fundamental structure. The sanctions are categorised under a three-level violation system:
- Level 1: Failure to comply with the prohibitions under the AI Act
The highest fines will be imposed for using prohibited systems due to an unacceptable level of risk involved. Fines reach up to 30 million euro or up to 6% of an entity’s annual turnover.
Example: AI systems using subliminal, deliberately manipulative or deceptive techniques that materially distort a person’s behaviour may cause them to make a decision they would not otherwise make, in a way that could cause significant detriment.
- Level 2: Failure to comply with the requirements under the AI Act
The second highest fines are stipulated for the non-compliance with certain obligations. Breach of the relevant provisions is subject to fines of up to 20 million euro or up to 4% of an entity’s annual turnover.
Example: Failure to fulfill registration obligations or to ensure the accuracy of the provided information.
- Level 3: Provision of untrue, incomplete or misleading information to the supervision authorities
Provision of information requested by national authorities or notified bodies that is untrue, incomplete or misleading is subject to a fine of up to 7.5 million euro or 1% of an entity’s total turnover.
Example: The key factors considered when determining a fine will be the nature, gravity, intentionality and duration of the breach..
5. What we can do for you
To prepare your organisation for the new requirements, we will:
verify whether a given service or tool falls within the scope of the AI Act, and if yes – the role and obligations of the supplier of this service
carry out a legal audit of AI-powered tools, services and products
prepare legal materials on AI that can be used in documentation regarding the company’s operations: regulations, model contracts, marketing materials, websites and online tools
train your employees on the practical application of the AI Act
Contact:
Krzysztof Brant – Attorney-at-law | Senior Associate in the Personal Data Protection and Transactions M&A and Corporate Law
Michał Pietrzyk – Attorney-at-law | Senior Associate in the IP / IT , Contracts (Commercial) and German Desk Teams