EU Lawmakers Clinch Agreement on Artificial Intelligence Act

(Photo by FREDERICK FLORIN / AFP)

Members of the European Parliament take part in voting on the Artificial Intelligence Act during a plenary session at the European Parliament.

The EU's Artificial Intelligence Act will bolster the European Union's dominance as a regulatory heavyweight in emerging technologies but will likely face enforcement challenges, and its stringent stipulations will likely stymie AI innovation and use within the bloc. Following several days of discussions, European Union (EU) policymakers reached a provisional agreement on the Artificial Intelligence (AI) Act on Dec. 8, greenlighting the sweeping new legislative framework expected to be approved during the spring 2024 EU parliamentary legislative session. Under the agreement, all AI systems will have to comply with new transparency and reporting requirements, including risk assessments and public disclosures around AI training and implementation procedures. EU lawmakers also reached an agreement to regulate foundation models — the AI systems that underpin services like chatbots — one of the most contentious topics on the table during deliberations. The new rules, however, gave broad exceptions for open-source foundation models (those developed using code that is freely available for developers to alter for their own products and tools). The agreement will also ban biometric categorization and social scoring systems, cognitive behavior manipulation, the untargeted scraping of facial images from the internet or CCTV footage and the use of biometric surveillance systems in public places. However, law enforcement will be exempt from the new rules, meaning they will be allowed to use AI technologies to prosecute trafficking, terrorist threats and violent crimes. Following the EU lawmakers' solidified agreement, the European Parliament is expected to pass the AI Act in the spring 2024 legislative session, after which it will take effect in 2025.

The new rules will leverage a tiered risk system for AI models, wherein the degree of regulatory oversight will be most stringent for systems that are deemed to pose "unacceptable" or "high" risk, whereas comparatively fewer requirements will regulate AI systems that pose "limited" or "minimal" risks.
The AI Act will regulate foundation models or general purpose AI (GPAIs) under a two-tier approach — based on the computational resources they require — with the most advanced AI systems (under which currently only OpenAI's GPT-4 model would fall) deemed as "high-impact" and posing "systemic risk." These foundation models will be required to submit model evaluations, assess and mitigate areas of risk, conduct adversarial testing and report serious incidents to the European Commission.

The compromises made on the Act to individual EU member states reflect the competing priorities of ensuring robust protection and oversight mechanisms while also seeking to foster innovation in the AI sector. The European Union has long been a leader in digital and emerging technology regulatory oversight and has championed robust protectionist legislation, particularly regarding data privacy. That being said, the European Union's recent deliberations over the AI Act accentuated diverging interests among member states — namely, France, Germany and Italy, which fought to reduce requirements for foundation models. These countries sought to exempt foundation models from the new legislation altogether, arguing that overly restrictive measures may hinder economic advancement. As a compromise, EU lawmakers settled on a two-tier system for overseeing foundation models, dividing the threshold for AI systems wherein less sophisticated models will be free from the most stringent oversight requirements included in the new Act. The settlement sought to appease EU representatives pushing for strong controls on foundation models while simultaneously capitulating to the demands of EU countries seeking to minimize onerous restrictions on the developing AI sector in the bloc. The use of AI for surveillance and biometric data was also heavily contested, with many EU member states seeking to ban such use cases altogether. However, other EU states, including France, which will host the Summer Olympic games next year, lobbied heavily for government use cases to leverage AI in fighting crime and terrorism trends, reflecting competing priorities across different member states. The compromise, which permits law enforcement surveillance only in explicit cases, similarly reflected EU states' rivaling interests of regulating the proper use of AI systems while maximizing the utility of AI tools, particularly for national security interests.

France, Germany and Italy jointly submitted a paper to other EU governments on Nov. 20, claiming Europe needs a "regulatory framework which fosters innovation and competition" and that the bloc should allow companies to self-regulate foundation models through company pledges and codes of conduct.
In a public address on Dec. 11, French President Emmanuel Macron warned that the EU AI Act risks hampering European technology companies compared to rivals in the United States, the United Kingdom and China.

Despite the agreement between EU member states, the legislation's implementation will likely face obstacles and may undermine the European Union's competitive edge in the AI sector in the long term. While EU policymakers will still need to iron out technical aspects of the new rules' requirements, the Act nevertheless appears as though it will be enacted. Nevertheless, the Act's implementation will still face hurdles, including the potential for novel AI breakthroughs that may occur in the interim, which could nullify aspects of the legislation. Likewise, the new rules' current threshold for defining "high-impact" systems — those with a compute equal to or above GPT4 — may be less relevant in two years if subsequent foundation models become much more advanced, potentially rendering the legislation less effective or void. Additionally, the AI Act's enforcement will be challenged by resource and personnel limitations within and across different member states' regulatory agencies, which have the potential to stifle oversight initiatives once the rules are in place. Regardless of these obstacles, the AI Act's official implementation will significantly augment transparency requirements for companies developing or using AI systems. It will also have material implications for the types of AI services available to EU citizens and companies within the bloc. Large AI developers like OpenAI, Microsoft, Google and Meta will likely limit which foundation models they make available in the European market, meaning there is a risk of them releasing specifically less advanced systems to the bloc. As a result, EU companies would suffer constraints in their efforts to integrate AI services into various commercial use cases that could accelerate efficiency or productivity. As many companies in other jurisdictions like the United States incorporate AI tools, European industries will struggle to compete with their counterparts' efficiency gains, diminishing the bloc's overall economic competitiveness in the long term. Additionally, EU-based companies will have less access to advanced AI systems to generate their own internal AI applications, further minimizing AI innovation in commercialized use cases.

Under the new rules, consumers would have the right to launch complaints if a company fails to uphold protections under the AI Act, and fines for violations would range from 7.5 million euros ($8.1 million) or 1.5% of global turnover to 35 million euros or 7% of global turnover.
The United Kingdom has pledged to pursue a "pro-innovation" approach in the AI sector. In September 2023, the British government unveiled seven new principles to apply to foundation models, emphasizing accountability and transparency but lacking a binding enforcement mechanism.