The EU is currently debating harmonised rules for artificial intelligence in the form of a legislative project aimed at making sustainable AI concrete. Finnish Parliament has also recently taken a position on the Commission’s proposed regulation. Clearly, this is a particularly relevant topic to designers and developers of AI systems. The proposed regulation has been criticised for its breadth and is set to keep industry operators on their toes as it develops towards its final form.
1.12.2021
Harmonised Rules to Keep Artificial Intelligence in Check
Related services
Tags
Four Main Classifications of AI
The goal of the proposed regulation is to incorporate obligations into special legislation in order to put the responsible use of AI into specific terms. AI systems often process information about the activities and lives of consumers, and responsibility in this context means, for example, transparency, fairness and ethicality. The aforementioned proposed AI regulation, which was published by the European Commission in April 2021, is an example of legislative efforts to harmonise the use of AI in the EU.
The goal for harmonised European rules is to increase trust in the use of AI and reduce applications of AI that violate of the EU’s fundamental rights, such as police state mass surveillance, scoring of citizens or other applications that pose a threat to citizens. These threats will be addressed by a classification of AI application into four main categories based on whether the application poses an unacceptable risk, high risk, limited risk or minimal risk.
These categories are based on the purpose of use, not the technology being used. AI is used for a wide array of applications, from chatbots to facial recognition and from the pharmaceutical industry to autonomous weapons. The obligations set forth in the proposed regulation are intended to promote transparency and consumer confidence.
Transparency Increases Trust
The responsible use of AI and responsible data processing require transparency. Transparency can be a strong competitive advantage not only in business but also from the perspective of customers or personnel. Keeping up with and adopting the latest technological developments can open up innovative business opportunities and perspectives. Clear communication to consumers creates an image of a company’s activities while increasing trust and commitment amongst consumers, employees and other stakeholder groups. However, it is important to note that many consumers may have difficulty conceptualising how AI functions.
Responsible use of AI can be seen as part of corporate responsibility. A regulatory model based on soft-law joint or self-regulation could be problematic, as it may not be enough to earn the trust of consumers, and other stakeholders would have little to no say in it. This kind of model also does not seek to distinguish between organisations responsible for supervision and those responsible for imposing sanctions.
Like the GDPR, the AI Regulation would require precision in data and data administration, sufficient data security and proper documentation of the realisation of transparency and the fulfilment of the disclosure obligation. The Commission’s proposal solves the separation of supervision and sanction power by establishing a European Artificial Intelligence Board, which would share responsibility for supervision with the Member States’ market supervisory authorities, while Member States would be responsible for imposing administrative fines and other sanctions. This is the same solution that was adopted in the GDPR.
Criticism of Proposed Regulation
The AI Regulation is a major legislative project, but the proposal is neither comprehensive nor watertight. For example, it presents few practical solutions to prevent algorithmic bias, despite the fact that this was one of the primary concerns that lead to the project being launched in the first place. The proposal’s definition of AI has also been criticised for being too broad. On the other hand, the reasoning behind the broad definition is to ensure that it is technology neutral and future proof so that it would not immediately become outdated as technology develops. The scope of application should be clear and the requirements proportionate. Clear boundaries can be justified, e.g. based on the principal of legal certainty. The definition of what applications are considered high risk is somewhat unclear in the annex of the proposed regulation, which creates uncertainty on the markets as to the suitability of the regulation.
The proposal has also been criticised for being overly complex and, as it would be directly applicable legislation, for leaving little room for Member States due to aiming for far-reaching harmonisation. There are also fears that increasing bureaucracy will hinder AI innovation.
What Next?
The Commission’s proposal is currently being debated by legislators, the European Parliament and the Council of Europe. Though the proposal has given rise to questions and doubts, the Member States are for the most part supportive of the goals of the proposal and have begun to find common ground in negotiations. The Slovenian EU presidency has aimed to present a compromise proposal in November 2021. Companies applying or planning to apply AI should keep abreast of the latest developments in the legislative project.
Latest insights
Article published 10.10.2024 – Data & Technology
New act on dual-use items entered into force in September – what companies need to know
Article published 5.9.2024 – Data & Technology
Technology acquisitions can boost companies’ growth – or cause them to fail
Article published 6.5.2024 – Employment
Outsourcing company functions – four key points for success
Article published 7.12.2023 – Data & Technology
Agreements define data sharing and re-use
Kim Parviainen & Lauri Laatunen
Topi Lusenius, Anders Forss & Kim Parviainen
Tomi Kemppainen, Kim Parviainen & Eija Warma-Lehtinen
Latest references
LähiTapiola and OP Henkivakuutus – Successful representation of insurance companies in Supreme Administrative Court health data processing cases
We successfully represented insurance companies LähiTapiola and OP Henkivakuutus in two cases concerning an important point of principle: the right of insurance companies to process health data as part of the insurance application process. The Supreme Administrative Court handed down twin decisions ( one published as precedent ) addressing the matter in light of contrary DPA decisions. Under the Finnish Data Protection Act, insurance companies may, to simplify, process health data concerning “insured persons” (vakuutettu, försäkrad) to determine liability under the insurance. This rule constitutes an exception to Article 9 GDPR. At issue was whether the term “insured person” also covers people in the process of obtaining insurance coverage or only people who are already covered. In more practical terms: can an insurance company rely on the rule when considering whether/how to grant the insurance in the first place? The SAC answered in the affirmative and thus upheld the traditional industry approach over the DPA’s contrary view. The SAC noted that the Data Protection Act did not define the term “insured person” and thus looked at insurance legislation for guidance. As argued by the insurance companies, that legislation also uses the term in the context of describing the insured person’s pre-contractual informational obligations. Thus, and in view of the underlying purpose of the rule at issue, the SAC found that an “insured person” could be someone in the process of obtaining coverage, not just a person already covered. The outcome clarifies the scope of the local rule at the insurance application stage for the Finnish insurance industry.
Case published 22.1.2026
SuperOffice – Acquisition of Lyyti
We acted as Finnish counsel to SuperOffice AS, backed by Axcel, in its acquisition of Lyyti Oy from Finnish private equity firm Vaaka Partners and other sellers. Lyyti is a leading event management software company for physical, digital and hybrid events with a strong customer base in Finland, Sweden and France. SuperOffice is a leading provider of customer relationship management (CRM) software for small and medium-sized businesses across Northern Europe. Axcel is a Nordic private equity firm with a focus on technology, business services and industrials, healthcare, and consumer sectors.
Case published 9.12.2025
Lantmännen – Acquisition of Leipurin from Aspo
We advised Lantmännen ek för in its contemplated acquisition of Leipurin from Aspo Plc. Lantmännen is an agricultural cooperative and Northern Europe’s leader in agriculture, machinery, bioenergy and food products. Lantmännen is owned by 17,000 Swedish farmers and has 12,000 employees in over 20 countries. Leipurin is a leading Nordic supplier of bakery ingredients, equipment, and expert services to professional bakeries, confectioneries, and food manufacturers. The company operates across Finland, Sweden, and the Baltic countries with subsidiaries located in the aforementioned countries, providing comprehensive solutions to the baking industry. The closing of the transaction remains subject to regulatory approvals.
Case published 25.8.2025
Oomi – Expansion into mobile telecommunications
We assisted Oomi Oy in its expansion into the mobile telecommunications market with the launch of Oomi Mobiili, a new MVNO brand. Our work covered the preceding due diligence process as well as structuring and negotiating key partner agreements, laying a solid foundation for Oomi’s entry into the new market. Oomi Mobiili will operate as a virtual mobile network operator, offering customers the option to purchase a mobile subscription together with their electricity contract. The phased launch is set to begin in autumn 2025, with nationwide availability targeted for early 2026.
Case published 15.8.2025