Artificial intelligence, or AI for short, plays a major role in the modern lives of people and companies. Various automations and algorithms govern online services, online trade and digital marketing. This has a significant impact on consumer behaviour. When it comes to consumer protection, the new regulation aims to increase consumers’ trust in AI and increase responsibility and safety in the market’s technological development. On 21 April 2021, the European Commission proposed a regulation laying down harmonised rules on artificial intelligence. According to estimates, the regulation could enter into force before the end of the year. With a transitional period of two years, the regulation would become applicable by the end of 2024.
30.8.2022
The Artificial Intelligence Act and consumer protection – are you ready?
Samuli Salminen
Related services
The definition of AI and the Artificial Intelligence Act in light of consumer protection
A typical problem concerning AI is that it is very difficult to define, at least exhaustively. The Act defines AI as a software that has the ability, for a given set of human-defined objectives, to generate outputs such as content, predictions, recommendations, or decisions which influence the environment with which the system interacts. AI is not offered to consumers in a raw format. Instead, consumers receive products or services that are controlled by sophisticated algorithms and software.
The proposed regulation does not create new consumer rights or form new appeal proceedings as such. According to the proposal, when harmful AI practices and systems do not fall under the scope of prohibited AI practices as defined in the proposed regulation, they would be covered by general data and consumer protection legislation. The focus of the proposed regulation is on defining certain prohibited practices and strictly regulated high-risk systems. These practices are examined both on an industry and on a sector basis.
Prohibited practices
The proposal prohibits the use of AI systems that create an unacceptable risk. These systems create such an obvious threat to the safety, rights and livelihoods of people that the regulation prohibits their use entirely. Such systems include ones that have the potential to manipulate people through subliminal techniques beyond their conscious awareness and that are likely to cause psychological or physical harm. The proposal also prohibits certain systems that use social scoring, as they are considered contrary to fundamental values of the EU. They can also lead to discrimination.
High-risk systems
The proposal classifies as high-risk such AI systems that are intended to be used as safety components of products, for example, as well as systems that pose a high risk of harm to health and safety and that are used in specific areas. The proposal lists some examples of high-risk AI systems, including systems used as safety components in the management and operation of the supply of water, gas, heating and electricity, and systems used to evaluate the creditworthiness of natural persons in relation to essential private and public services.
The obligations of providers of high-risk AI systems are laid down in Article 16 of the proposed regulation. Among other things, such providers of AI systems shall:
Obligation to disclose information
The obligation to disclose information is central to the general principles of consumer protection. In the context of AI use, the obligation to disclose information is therefore a general principle for all AI systems affecting consumers. This means that consumers must have easy access to sufficient, clear and timely information on the existence of an AI system, its deductive processes and possible outcomes and its effects on consumers. Consumers must also be told how they can request the system’s operations to be reviewed or fixed and how they can contact a competent person. Information on disputing the matter must also be provided.
Further specifications to AI regulation
The Artificial Intelligence Act is meant to be a part of a larger whole, and some parts are not yet known. For example, there will be a separate proposal concerning the liability issues surrounding AI. It is likely that this proposal will be applicable to consumer protection as well. The proposal will also have several connecting factors to existing EU regulation, such as data protection and market supervision regulation and the general EU regulation on consumer protection binding on businesses.
Sources:
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52021PC0206&from=EN
Latest insights
Article published 2.2.2026 – Data & Technology
Avoid costly risks with well-drafted distribution agreements
Article published 10.10.2024 – Data & Technology
New act on dual-use items entered into force in September – what companies need to know
Article published 5.9.2024 – Data & Technology
Technology acquisitions can boost companies’ growth – or cause them to fail
Article published 6.5.2024 – Employment
Outsourcing company functions – four key points for success
Topi Lusenius & Samuli Salminen
Kim Parviainen & Lauri Laatunen
Topi Lusenius, Anders Forss & Kim Parviainen
Tomi Kemppainen, Kim Parviainen & Eija Warma-Lehtinen
Latest references
Downing – Acquisition of the entire share capital of Tornionlaakson Voima
We advised UK-based investment company Downing in its acquisition of the entire share capital of Tornionlaakson Voima Oy. Tornionlaakson Voima owns three hydropower plants in the Tengeliönjoki river system – the Portimokoski power plants in Ylitornio, the Jolmankoski power plants in Raanujärvi and the Kaaranneskoski power plants in Sirkkakoski. The power plants produce a total of approx. 45 gigawatt-hours of electricity per year. Tornionlaakson Voima’s daily operations will continue normally, and the transaction will not affect customers. The consummation of the transaction is subject to the approval of the Ministry of Economic Affairs and Employment. Downing has over 35 years’ experience in providing a wide range of investment solutions to the needs of institutional investors, advisers and retail investors. The company manages over £2 billion in assets in both the private and public markets and its current hydro power portfolio includes approx. 50 hydro power plants in the Nordics.
Case published 27.3.2026
LähiTapiola and OP Henkivakuutus – Successful representation of insurance companies in Supreme Administrative Court health data processing cases
We successfully represented insurance companies LähiTapiola and OP Henkivakuutus in two cases concerning an important point of principle: the right of insurance companies to process health data as part of the insurance application process. The Supreme Administrative Court handed down twin decisions ( one published as precedent ) addressing the matter in light of contrary DPA decisions. Under the Finnish Data Protection Act, insurance companies may, to simplify, process health data concerning “insured persons” (vakuutettu, försäkrad) to determine liability under the insurance. This rule constitutes an exception to Article 9 GDPR. At issue was whether the term “insured person” also covers people in the process of obtaining insurance coverage or only people who are already covered. In more practical terms: can an insurance company rely on the rule when considering whether/how to grant the insurance in the first place? The SAC answered in the affirmative and thus upheld the traditional industry approach over the DPA’s contrary view. The SAC noted that the Data Protection Act did not define the term “insured person” and thus looked at insurance legislation for guidance. As argued by the insurance companies, that legislation also uses the term in the context of describing the insured person’s pre-contractual informational obligations. Thus, and in view of the underlying purpose of the rule at issue, the SAC found that an “insured person” could be someone in the process of obtaining coverage, not just a person already covered. The outcome clarifies the scope of the local rule at the insurance application stage for the Finnish insurance industry.
Case published 22.1.2026
SuperOffice – Acquisition of Lyyti
We acted as Finnish counsel to SuperOffice AS, backed by Axcel, in its acquisition of Lyyti Oy from Finnish private equity firm Vaaka Partners and other sellers. Lyyti is a leading event management software company for physical, digital and hybrid events with a strong customer base in Finland, Sweden and France. SuperOffice is a leading provider of customer relationship management (CRM) software for small and medium-sized businesses across Northern Europe. Axcel is a Nordic private equity firm with a focus on technology, business services and industrials, healthcare, and consumer sectors.
Case published 9.12.2025
Lantmännen – Acquisition of Leipurin from Aspo
We advised Lantmännen ek för in its contemplated acquisition of Leipurin from Aspo Plc. Lantmännen is an agricultural cooperative and Northern Europe’s leader in agriculture, machinery, bioenergy and food products. Lantmännen is owned by 17,000 Swedish farmers and has 12,000 employees in over 20 countries. Leipurin is a leading Nordic supplier of bakery ingredients, equipment, and expert services to professional bakeries, confectioneries, and food manufacturers. The company operates across Finland, Sweden, and the Baltic countries with subsidiaries located in the aforementioned countries, providing comprehensive solutions to the baking industry. The closing of the transaction remains subject to regulatory approvals.
Case published 25.8.2025