Prepare for the new wave of digital regulation

Artificial intelligence is currently a leading topic in the business world. Many companies are intensively trying to understand the significance of AI for their businesses – both as a risk and an enabler. Legislators have not been idle either. In Finland, the new national legislation on automated decision-making by public authorities entered into force this year already, and in the EU, the AI Act will likely soon follow suit.

Many companies are still trying to figure out what AI means exactly. Legislators have had the same problem: the definition of AI and, consequently, the AI Act’s scope of application have raised a great deal of debate. Under the broadest interpretation, many common present-day software solutions could be labelled `artificial intelligence’. At the moment, however, it seems that the definition included in the Act will be somewhat narrower than the wording in the first draft. Even though the AI Act is not yet in force, every company that produces and uses technology should already find out the extent to which the new regulation could apply to it since the proposal includes obligations to both producers and users of AI solutions.

The AI Act introduces new regulatory techniques

The AI Act introduces regulatory techniques that are somewhat new to the general IT industry. The exact obligations imposed by the Act depend on the risk rating the Act gives to a particular AI solution, and the specific content of the obligations is also determined by standards separate from legislation in the same way as, for example, in product safety legislation. Even though the Act does include a set of obligations, many of them are relatively generally formulated in the Act itself. The idea is that the obligations will be specified in more detail in technical standards, and compliance with these standards creates the presumption of compliance with legislation. Even though it is only a presumption, we have long since learned from product safety legislation that in practice the standards form an integral part of the regulatory framework.

The supervision of AI solutions raises questions

The supervisory solutions related to the Act have also raised a lot of discussion. Since many AI solutions are, in practice, based on the processing of personal data, many issues related to AI, such as the use of customer data to improve the service itself and the transfer of data to third-country cloud services, are already familiar from data protection legislation. To avoid the problem of having several supervisory authorities, some have suggested that data protection authorities would be the natural choice for supervising AI as well. This solution is not, however, without problems.

Under the AI Act, high risk systems subject to the most severe restrictions would also include systems where the related risks do not necessarily concern the processing of personal data. For example, the suggested high risk rating of road transport and electricity supply systems is likely based on concerns other than those related to personal data, even though some personal data is processed in these systems. In addition, it should be taken into account that the regulatory techniques based on product safety and technical standards would be more or less new to data protection authorities. We will keep monitoring the development of the AI Act and its supervision arrangements with great interest. Perhaps some conclusions may be drawn from the fact that the suggested national supervisory authority for the EU Data Governance Act is the Finnish Transport and Communications Agency.

We are also interested in seeing how the contractual practices around AI will develop. For example, Microsoft has already released an update to its terms and conditions, defining liabilities related to AI-generated content. Now is the time to establish contractual and market practices, and many want to take part in steering the development.

The EU is revamping digital regulation

AI is not the only digital regulation project by the EU that provokes discussion among businesses, far from it. There are several ongoing regulatory projects, and the upcoming EU Data Act, for example, is a key aspect in the regulation agenda of many companies. Among other things, the Act will require device manufacturers to increase the transparency and shareability of the data collected by their devices.

We are here to support our clients through the change of digital regulation in terms of both AI and other solutions. If you wish to discuss AI, its regulation or other themes of this blog in more detail, please do not hesitate to contact the authors.