The objective of the Artificial Intelligence Act (“AI Act”) being drafted is to ensure that the artificial intelligence systems released to the EU market and used there are safe and comply with fundamental rights. The AI Act also aims to facilitate developing the internal market and to promote competitiveness. Despite the good intentions, the end result may be quite the opposite. The so called Brussels effect came true for the General Data Protection Regulation.
5.9.2022
The EU is currently trying to decide what kind of intelligent systems we will use in the future
Eija Warma-Lehtinen & Sakari Salonen
Related services
Most of the developed countries can agree with the EU’s view on the prohibited uses of artificial intelligence, but is the EU able to produce AI regulation that would serve as a model for the whole world? Or will heavy AI regulation in the EU lead to a situation where Europe is left behind in AI development and eventually has to adapt to standards that have formed on other markets? Furthermore, is the new regulation actually necessary? For example, the frequently discussed matter of surveillance based on facial recognition in public places has already been opposed by the European Data Protection Board within the current regulation.
Unlike before, the AI Act concerns a specific technology. For this reason, the proposal raises the question: is the Act aimed at regulating the technology or the phenomenon for which the technology is used?
A lot of critique has been raised, indicating that the existing regulation, such as the GDPR and product liability and product safety regulations, could already offer sufficient protection for applying a specific technology. The GDPR regulates automatic decision-making based on personal data. It requires that the data is relevant, representative, accurate and complete. Particularly the requirement of completeness has long been debated: is any operator able to ensure the completeness and accurateness of data in any circumstances?
The key concepts of the proposal have also been criticised as too ambiguous, narrow or overlapping with other regulations. In addition, the proposal includes rather wide but ambiguous obligations for high-risk applications, such as wide obligations concerning human oversight. However, this does not guarantee that the persons conducting the oversight can actually detect and address deviations, which has become apparent when testing the operation of self-driving cars, for example. The obligations will be expensive for those parties that want to do what is right, whereas it may turn out to be difficult to call deceitful operators to account.
Despite the critique, the AI Act is on its way, so it is advisable to start preparing for its entry into force. The most important thing at the moment is to assess which of the three AI risk categories is the one that your application belongs to: unacceptable, high-risk or unregulated. If an application under development is categorised as a high-risk application, make sure that it fulfils the requirements of the Act, such as establishing a risk management system, drafting technical documentation, automatic recording of events and ensuring human oversight.
Latest insights
Article published 2.2.2026 – Data & Technology
Avoid costly risks with well-drafted distribution agreements
Article published 10.10.2024 – Data & Technology
New act on dual-use items entered into force in September – what companies need to know
Article published 5.9.2024 – Data & Technology
Technology acquisitions can boost companies’ growth – or cause them to fail
Article published 6.5.2024 – Employment
Outsourcing company functions – four key points for success
Topi Lusenius & Samuli Salminen
Kim Parviainen & Lauri Laatunen
Topi Lusenius, Anders Forss & Kim Parviainen
Tomi Kemppainen, Kim Parviainen & Eija Warma-Lehtinen
Latest references
Downing – Acquisition of the entire share capital of Tornionlaakson Voima
We advised UK-based investment company Downing in its acquisition of the entire share capital of Tornionlaakson Voima Oy. Tornionlaakson Voima owns three hydropower plants in the Tengeliönjoki river system – the Portimokoski power plants in Ylitornio, the Jolmankoski power plants in Raanujärvi and the Kaaranneskoski power plants in Sirkkakoski. The power plants produce a total of approx. 45 gigawatt-hours of electricity per year. Tornionlaakson Voima’s daily operations will continue normally, and the transaction will not affect customers. The consummation of the transaction is subject to the approval of the Ministry of Economic Affairs and Employment. Downing has over 35 years’ experience in providing a wide range of investment solutions to the needs of institutional investors, advisers and retail investors. The company manages over £2 billion in assets in both the private and public markets and its current hydro power portfolio includes approx. 50 hydro power plants in the Nordics.
Case published 27.3.2026
LähiTapiola and OP Henkivakuutus – Successful representation of insurance companies in Supreme Administrative Court health data processing cases
We successfully represented insurance companies LähiTapiola and OP Henkivakuutus in two cases concerning an important point of principle: the right of insurance companies to process health data as part of the insurance application process. The Supreme Administrative Court handed down twin decisions ( one published as precedent ) addressing the matter in light of contrary DPA decisions. Under the Finnish Data Protection Act, insurance companies may, to simplify, process health data concerning “insured persons” (vakuutettu, försäkrad) to determine liability under the insurance. This rule constitutes an exception to Article 9 GDPR. At issue was whether the term “insured person” also covers people in the process of obtaining insurance coverage or only people who are already covered. In more practical terms: can an insurance company rely on the rule when considering whether/how to grant the insurance in the first place? The SAC answered in the affirmative and thus upheld the traditional industry approach over the DPA’s contrary view. The SAC noted that the Data Protection Act did not define the term “insured person” and thus looked at insurance legislation for guidance. As argued by the insurance companies, that legislation also uses the term in the context of describing the insured person’s pre-contractual informational obligations. Thus, and in view of the underlying purpose of the rule at issue, the SAC found that an “insured person” could be someone in the process of obtaining coverage, not just a person already covered. The outcome clarifies the scope of the local rule at the insurance application stage for the Finnish insurance industry.
Case published 22.1.2026
SuperOffice – Acquisition of Lyyti
We acted as Finnish counsel to SuperOffice AS, backed by Axcel, in its acquisition of Lyyti Oy from Finnish private equity firm Vaaka Partners and other sellers. Lyyti is a leading event management software company for physical, digital and hybrid events with a strong customer base in Finland, Sweden and France. SuperOffice is a leading provider of customer relationship management (CRM) software for small and medium-sized businesses across Northern Europe. Axcel is a Nordic private equity firm with a focus on technology, business services and industrials, healthcare, and consumer sectors.
Case published 9.12.2025
Lantmännen – Acquisition of Leipurin from Aspo
We advised Lantmännen ek för in its contemplated acquisition of Leipurin from Aspo Plc. Lantmännen is an agricultural cooperative and Northern Europe’s leader in agriculture, machinery, bioenergy and food products. Lantmännen is owned by 17,000 Swedish farmers and has 12,000 employees in over 20 countries. Leipurin is a leading Nordic supplier of bakery ingredients, equipment, and expert services to professional bakeries, confectioneries, and food manufacturers. The company operates across Finland, Sweden, and the Baltic countries with subsidiaries located in the aforementioned countries, providing comprehensive solutions to the baking industry. The closing of the transaction remains subject to regulatory approvals.
Case published 25.8.2025