How are UK businesses affected by the EU AI Act?

What is the EU AI Act?

The EU Artificial Intelligence Act, or EU AI Act, is the act which has recently been passed by the EU Parliament to govern the supply and use of all AI systems in the EU.

When does the EU AI Act come into effect?

The Act was published in the Official Journal of the European Union on 12 July 2024 and came into effect on 1 August 2024. However, most of its provisions apply only from 2 August 2026, some will take effect early February 2025.

Nevertheless, the European Commission encourages organisations to adopt the AI Pact voluntarily before the AI Act starts to apply. The AI Pact is expected to be launched during the transitional period between the Act coming into force and the start of its application.

What is covered by the EU AI Act?

The Act takes a horizontal approach in its application. The Act applies to all AI systems generally, instead of setting out specific rules for each sector.

The Act establishes a legal framework for the development, supply and use of AI in the EU and contains the following rules:

• Rules for the supply and use of AI systems in all member states.
• Extraterritorial provisions for operators based outside the EU.
• Prohibitions on certain AI practices considered dangerous.
• Technical requirements for AI systems presenting high risk of harm.
• Operator requirements for organisations at different levels in the high-risk AI supply chain.
• Specific rules for providers of general-purpose AI models. This includes provisions to protect copyright works.
• Requirements for certain AI systems to be completely transparent when those systems interact directly with humans or generate certain content.
• Market surveillance rules as monitoring the AI’s abilities to learn is important.
• Measures to support innovation, help SMEs and start-ups.

Which sectors are excluded under the EU AI Act?

Article 2(3) to 2(12) of the Act set out the sectors which would be excluded from its application. These include:

• Systems used exclusively for military, defence or national security purposes.
• Systems used by third country public authorities or international organisations for compliance with international agreements or judicial co-operation with the EU or a member state.
• Systems used for the sole purpose of scientific research and development.
• Systems used for purely personal activity by natural persons.
• Systems released under free and open-source licenses, unless placed on the market or used as a high-risk AI system.

What are the prohibited practices under the EU AI Act?

Article 5 of Chapter 2 of the Act sets out the AI activities which are prohibited under the Act. These are as follows:

• Systems which contain subliminal techniques and would ultimately manipulate or distort the behaviour of a person by impairing that person’s ability to make an informed decision and therefore causing or be likely to cause harm.
• Systems which would exploit a person’s vulnerabilities due to their age, disability or social or economic situation with a view to distort that person’s behaviour and cause harm.
• Systems used for social scoring based on known or predicted personality and which causes detrimental treatment unjustified or unrelated to the context or their social behaviour.
• Systems which assess the risk of a person to commit a crime or re-offend.
• Systems that create or expand facial recognition databases through untargeted scraping or facial images from the internet or CCTV.
• Systems used for emotion recognition in the workplace or educational instructions. There is however an exception for medical or safety reasons.
• Systems with biometric categorisation used to infer characteristics, such as race, political opinions or religion.
• Systems using real-time, remote biometric identification in publicly accessible spaces for law enforcement purposes. This however does not apply when searching for victims of abduction, preservation of life and finding suspects of certain criminal activities.

Does the EU AI Act apply to the UK?

The Act applies to all businesses within the EU, albeit its scope is extra-territorial. This means that all businesses in the UK which develop AI systems for the EU market will fall under the Act’s regulations. It is therefore necessary for UK companies to act now in order to comply with the Act’s requirements. Businesses would need to take the following actions:

• Assess the impact of the Act on compliance.
• Categorise and create an inventory of AI systems.
• Identify prohibited AI systems and take action as necessary.
• Review and update the AI governance model with a view to align with the Act.
• Develop comprehensive risk management procedures.
• Ensure robust data management practices.
• Ensure that proper control protocols are in place.
• Understand internal and external dependencies related to AI systems.

Notwithstanding this, the UK government acknowledges that legislative action will need to be taken in the future in response to the ever-expanding AI technologies. The Act will undeniably bring new compliance challenges for businesses and it is important for businesses to address these challenges.

For further advice and assistance, please contact our Commercial Solicitors on 01604 828282 / 01908 660966 or email [email protected]