If you’re building an AI-powered product with customers in the European Union, it’s important to understand the regulations governing artificial intelligence and data protection within the EU.
Two key pieces of legislation, the EU AI Act and the General Data Protection Regulation (GDPR), have significant implications for the development and deployment of machine learning (ML) systems within the European Union.
Having a cloud provider (eg. AWS or Azure) hosted outside of the EU doesn't make things easier. It is crucial to understand the potential conflicts between EU data protection regulations and the regulations of the country where your cloud provider is based to ensure compliance and safeguard data privacy.
The EU AI Act
The EU AI Act, which is set to become the first comprehensive legal framework for AI, adopts a risk-based approach to regulating AI systems. It classifies AI systems into four categories based on their level of risk and sets out specific requirements and obligations for each category. The EU AI Act will impact any AI tools or providers whose products are used in the European Union.
The EU AI Act was approved by the European Parliament on March 13, 2024 and is set to become law shortly after the European Council conducts a final review. However, the law is expected to be implemented gradually, with various provisions taking effect at different times until 2026.
Penalties for noncompliance can reach EUR 35,000,000 or 7% of a company's annual worldwide revenue, whichever is higher.
GDPR
General Data Protection Regulation (GDPR), which has been in effect since 2018, lays down rules for processing personal data and grants individuals certain rights over their data. While GDPR doesn’t expressly outline artificial intelligence use cases, the rules apply to any processing of personally identifiable data across the European Union.
Under the General Data Protection Regulation (GDPR), wrongful infringements can be fined up to €20 million or 4% of the annual worldwide turnover, whichever is greater.
Who does the EU AI Act apply to?
The EU AI Act applies to a wide range of entities involved in the development, deployment, and use of AI systems within the European Union. The Act establishes a comprehensive legal framework for AI, focusing on a risk-based approach to regulate AI systems according to their potential impact on individuals and society.
The EU AI Act applies to:
Providers of AI systems: Those who develop AI systems or have them developed with the purpose of placing them on the market or putting them into service under their own name or trademark, regardless of whether they are established within the EU or in a third country.
Users of AI systems: Any natural or legal person, public authority, agency, or other body using an AI system under its authority.
Importers and distributors of AI systems: Those who place AI systems on the market or put them into service within the EU, as well as those who make substantial modifications to AI systems already placed on the market or put into service.
Institutions, agencies, and bodies of the EU: When they fall within the scope of the AI Act.
The EU AI Act applies to both public and private organizations, startups as well as established companies building foundational AI models. It covers a wide range of AI systems, from those posing unacceptable risks (which are prohibited) to high-risk, limited-risk, and minimal-risk systems, each with their own set of requirements and obligations.
Exceptions
AI systems developed or used solely for military purposes, as well as those used for national security, border control, and law enforcement, are excluded from the Act's application, as they are subject to separate legal frameworks. Additionally, AI systems that are components of products already covered by specific sectoral legislation, such as medical devices, aviation, or motor vehicles, are exempt from the Act's requirements. Finally, AI systems used in a personal, non-professional capacity, like AI-powered personal assistants or home automation systems, also fall outside the purview of the EU AI Act.
A risk-based approach to AI regulation
The EU AI Act is all about managing the risks associated with AI systems. It does this by dividing AI systems into four categories based on how much of an impact they could have on people and society:
Prohibited AI systems: These are AI systems that pose “unacceptable” risks, like AI that such as those that deploy subliminal techniques, exploit vulnerable groups, or enable social scoring by public authorities, are strictly prohibited under the AI Act.
High-risk AI systems: These are the systems that could seriously impact people's safety or fundamental rights, like AI used in law enforcement, education, or employment. High-risk AI systems are subject to strict requirements before they can be placed on the EU market.
Limited-risk AI systems: These AI systems pose some risks because they're not fully transparent, like chatbots, emotion recognition systems, and deepfakes. They have to meet specific transparency requirements.
Minimal-risk AI systems: These are the minimal risk AI systems that don't have to follow any extra rules under the AI Act. But the Act does encourage providers to develop voluntary codes of conduct for these systems.
High-risk AI systems
Anything that impacts on people's safety or fundamental rights are classified as high-risk. These include systems used as safety components of products, as well as those deployed in specific areas such as law enforcement, education, and employment. High-risk AI systems are subject to strict requirements before they can be placed on the EU market.
If you're working on a high-risk AI system, you'll need to make sure it ticks all these boxes before you can release it in the EU:
Risk management: You'll need a solid risk management system in place to identify and analyze potential risks throughout the AI system's lifecycle.
Testing and technical robustness: Your AI system will need to go through rigorous testing to make sure it performs consistently and reliably, even if the input data has errors or inconsistencies.
Data governance and training: The data you use to train, validate, and test your AI system must be relevant, representative, and error- and bias-free. You'll also need to implement appropriate data governance and management practices.
Transparency and human oversight: Your AI system should be developed in a transparent way, with clear information provided to users. It should also allow for human oversight and intervention when needed.
Cybersecurity: You'll need to protect your high-risk AI system against unauthorized access, manipulation, and other malicious actions.
Limited risk AI systems
The EU AI Act classifies certain AI systems as limited-risk due to their potential to deceive or manipulate users through a lack of transparency. These limited-risk AI systems include:
AI systems intended to interact with natural persons (e.g., chatbots)
Emotion recognition systems
Biometric categorization systems
Systems that generate or manipulate content (e.g., deepfakes)
For these limited-risk AI systems, the EU AI Act imposes specific transparency obligations to ensure that users are aware they are interacting with an AI system and can make informed decisions. Providers of limited-risk AI systems must:
Disclose that users are interacting with an AI system, unless it is obvious from the context or circumstances.
Ensure that AI-generated or manipulated content is labeled as such, making it clear that the content has been artificially generated or manipulated.
The impact of these transparency requirements is to increase user awareness and mitigate the potential for deception or manipulation. By ensuring that users know they are interacting with an AI system or consuming AI-generated content, the EU AI Act aims to promote informed decision-making and protect users from being misled.
However, compared to high-risk AI systems, limited-risk systems are subject to fewer requirements and obligations under the Act. Providers of limited-risk AI systems do not need to comply with the more stringent requirements related to risk management, testing, technical robustness, data governance, human oversight, and cybersecurity that apply to high-risk systems.
Minimal risk AI systems
For these minimal-risk AI systems, the EU AI Act does not impose any additional mandatory requirements or obligations on providers beyond those already applicable under existing legislation, such as consumer protection laws or product liability rules.
However, the Act does encourage the development of voluntary codes of conduct for providers of minimal-risk AI systems. These codes of conduct are intended to promote best practices, ethical standards, and transparency in the development and deployment of minimal-risk AI systems.
GPAI models and systemic risks
General Purpose AI (GPAI) models, also known as foundation models, are versatile AI systems that can be adapted to perform a wide range of tasks across various domains. While these models play a key role in AI’s advancement, the EU AI Act considers them to pose unique challenges and systemic risks.
Concentration of power
The concern the EU raises is that the development of GPAI models is concentrated among a few large tech companies, which could lead to a concentration of power and influence over a wide range of applications and sectors.
The EU AI Act considers GPAI models trained using a total computing power exceeding 10^25 FLOPs to be presumed to pose systemic risks. Providers of such models will be required to notify the European Commission when this threshold is met.
Amplification of biases and discrimination
Another concern the EU has is that GPAI models trained on vast amounts of data may inadvertently amplify societal biases and discrimination, leading to unfair outcomes across multiple domains.
Opacity and lack of accountability
According to some views, the complex and often opaque nature of GPAI models can make it difficult to understand how they arrive at specific outputs, leading to a lack of accountability for their decisions and actions.
Potential for misuse and dual-use applications
GPAI models could be misused or adapted for malicious purposes, such as generating disinformation, manipulating public opinion, or enabling surveillance.
The EU AI Act's Approach to GPAI Models
To address the systemic risks associated with GPAI models, the EU AI Act introduces specific rules for providers and users of these systems:
Registration: Providers and users of GPAI models must register their model in an EU database managed by the European Commission.
Risk Assessment: Comprehensive risk assessments must be conducted, and appropriate measures taken to mitigate potential risks.
Transparency: Key characteristics of the GPAI model, such as its intended purpose, training data, and performance metrics, must be disclosed to ensure transparency.
Security: Robust security measures must be implemented to prevent unauthorized access, misuse, or malicious attacks.
By establishing a regulatory framework for GPAI models, the EU AI Act aims to promote greater transparency, accountability, and oversight, while ensuring that these powerful AI systems are developed and used in a responsible, trustworthy, and human-centric manner.
Impact of EU AI Act on Cloud GPU Processing
At the time of writing the EU AI Act has not yet been put into effect, so the full extent of how it impacts cloud GPU processing (and data processors) in the European Union is unclear.
What's also unclear is how the EU AI Act will balance out with the CLOUD Act implemented in the United States, and other international AI regulation that is still in the review process.
Just like with the introduction of GDPR, we do expect the full scope and consequences of the EU AI Act to be better defined as more companies and legal experts bring in their views.
If you are looking for a cloud GPU partner with datacenters within the European Union, look no further than DataCrunch. We are based in the European Union and 100% governed under EU legislation. We are fully GDPR compliant as well as ISO 27001 certified.
While you can’t predict the future, you can take steps to be compliant and ready for what is coming!