30.8.2022

The Artificial Intelligence Act and consumer protection – are you ready?

Artificial intelligence, or AI for short, plays a major role in the modern lives of people and companies. Various automations and algorithms govern online services, online trade and digital marketing. This has a significant impact on consumer behaviour. When it comes to consumer protection, the new regulation aims to increase consumers’ trust in AI and increase responsibility and safety in the market’s technological development. On 21 April 2021, the European Commission proposed a regulation laying down harmonised rules on artificial intelligence. According to estimates, the regulation could enter into force before the end of the year. With a transitional period of two years, the regulation would become applicable by the end of 2024.

The definition of AI and the Artificial Intelligence Act in light of consumer protection

A typical problem concerning AI is that it is very difficult to define, at least exhaustively. The Act defines AI as a software that has the ability, for a given set of human-defined objectives, to generate outputs such as content, predictions, recommendations, or decisions which influence the environment with which the system interacts. AI is not offered to consumers in a raw format. Instead, consumers receive products or services that are controlled by sophisticated algorithms and software.

The proposed regulation does not create new consumer rights or form new appeal proceedings as such. According to the proposal, when harmful AI practices and systems do not fall under the scope of prohibited AI practices as defined in the proposed regulation, they would be covered by general data and consumer protection legislation. The focus of the proposed regulation is on defining certain prohibited practices and strictly regulated high-risk systems. These practices are examined both on an industry and on a sector basis.

Prohibited practices

The proposal prohibits the use of AI systems that create an unacceptable risk. These systems create such an obvious threat to the safety, rights and livelihoods of people that the regulation prohibits their use entirely. Such systems include ones that have the potential to manipulate people through subliminal techniques beyond their conscious awareness and that are likely to cause psychological or physical harm. The proposal also prohibits certain systems that use social scoring, as they are considered contrary to fundamental values of the EU. They can also lead to discrimination.

High-risk systems

The proposal classifies as high-risk such AI systems that are intended to be used as safety components of products, for example, as well as systems that pose a high risk of harm to health and safety and that are used in specific areas. The proposal lists some examples of high-risk AI systems, including systems used as safety components in the management and operation of the supply of water, gas, heating and electricity, and systems used to evaluate the creditworthiness of natural persons in relation to essential private and public services.

The obligations of providers of high-risk AI systems are laid down in Article 16 of the proposed regulation. Among other things, such providers of AI systems shall:

Obligation to disclose information

The obligation to disclose information is central to the general principles of consumer protection. In the context of AI use, the obligation to disclose information is therefore a general principle for all AI systems affecting consumers. This means that consumers must have easy access to sufficient, clear and timely information on the existence of an AI system, its deductive processes and possible outcomes and its effects on consumers. Consumers must also be told how they can request the system’s operations to be reviewed or fixed and how they can contact a competent person. Information on disputing the matter must also be provided.

Further specifications to AI regulation

The Artificial Intelligence Act is meant to be a part of a larger whole, and some parts are not yet known. For example, there will be a separate proposal concerning the liability issues surrounding AI. It is likely that this proposal will be applicable to consumer protection as well. The proposal will also have several connecting factors to existing EU regulation, such as data protection and market supervision regulation and the general EU regulation on consumer protection binding on businesses.

Sources:

https://www.kkv.fi/ajankohtaista/lausunnot/lausunto-u-28-2021-vp-valtioneuvoston-kirjelma-eduskunnalle-komission-ehdotuksesta-euroopan-parlamentin-ja-neuvoston-asetukseksi-tekoalyn-harmonisoiduksi-saantelyksi-artificial-intelligence-act/

https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52021PC0206&from=EN

Latest references

The Supreme Administrative Court (SAC) issued a significant precedent (decision KHO:2025:23) in a case in which it found that the Finnish Motor Insurers’ Centre (Liikennevakuutuskeskus, LVK) processed patient data in accordance with the requirements concerning fairness, data minimisation, and privacy by design and by default when deciding on compensation claims. We represented LVK in this case in which the SAC upheld the Administrative Court’s decision to repeal the EUR 52,000 administrative fine imposed on LVK by the Sanctions Board of the Office of the Data Protection Ombudsman. The SAC also confirmed the Administrative Court’s decision, which, as far as we know, was the first of its kind in Finland, ordering the Office of the Data Protection Ombudsman to reimburse some of our client’s legal costs. The decision bears great significance for the insurance industry as a whole. The crux of the matter were LVK’s information requests under the Motor Liability Insurance Act for patient data that were essential in determining insurance or compensation claims. In certain cases, making a decision may require extensive patient data. The Office of the Data Protection Ombudsman had found that LVK had systematically made overly broad information requests infringing Articles 5 and 25 of the GDPR and that the information should have been provided in the form of separate medical opinions. The Administrative Court repealed the Data Protection Ombudsman’s decision and found that patient records from medical appointments are, as a general rule, essential in establishing causality in compensation matters. It also stated that the tasks related to the consideration of compensation matters are specifically the core tasks of the insurance company and not of the controller of patient data. Furthermore, the Administrative Court found no evidence indicating that LVK would have systematically made overly broad information requests. ‘Once again, our collaboration with C&S was seamless throughout this extensive process, and we could trust that our case was in expert hands’, says Visa Kronbäck, Chief Legal Officer of the Insurance Centre. The full decision is available on the SAC website (in Finnish):  KHO:2025:23.
Case published 18.6.2025
We advised the Ilkka Paananen Foundation on a legal review relating to the use of a chatbot system utilising generative artificial intelligence.  The AI system provides conversational support to young people experiencing mental health issues and various life crises.  Our advice covered the AI Act, which regulates advanced AI systems, as well as data protection and other relevant local legislation.
Case published 16.6.2025
We advised Pihlajalinna Plc on an arrangement whereby Pihlajalinna Terveys Oy and Ikipihlaja Setälänpiha Oy sold their special housing services business to Esperi Care Oy.  The transaction involved three Pihlajalinna Uniikki units in Hämeenlinna, Lohja and Riihimäki as well as Ikipihlaja Oiva in Raisio. As a result of the arrangement, more than 100 employees transferred to Esperi. Pihlajalinna is one of Finland’s leading private providers of social and healthcare services, offering a wide range of services to both private and public sector clients. Pihlajalinna has more than 160 locations across Finland.
Case published 2.6.2025
We are proud to have provided legal assistance to PwC in the successful public tendering process for the comprehensive renewal of Kela’s benefits processing systems. Kela is the Social Insurance Institution of Finland, and this project is a significant cornerstone in modernising Finland’s social security infrastructure. PwC was selected as Kela’s strategic partner to implement a comprehensive overhaul of the benefits processing systems, digital services, customer relationship management, and information exchange platforms. The project aims to meet the demands of the future digital environment and enhance customer experience through the adoption of Salesforce technology. The new systems are expected to simplify benefit processes, enhance user experience for both customers, employees and other stakeholders, and ensure adaptability to future legislative changes. Castrén & Snellman provided strategic legal support to PwC throughout its successful bidding process, which was carried out through a competitive negotiated procedure. We extend our warmest congratulations to PwC for their successful bid and look forward to seeing the positive impact of this project on Finland’s social security system.
Case published 24.4.2025