The General Data Protection Regulation (GDPR) has been a subject of contention in the tech ecosystem since it’s implementation in May 2018. Some believe it is an accurate reflection of European principles, prioritizing personal safety and agency on the Internet, while others believe it is an impediment to business expansion and economic growth. There is truth to both statements. But the overarching observation arising from this is – Europe continues to be a strong, unrelenting voice in establishing the rules of the Internet.

GDPR is considered groundbreaking for that it explicitly places user privacy and personal data protection for EU citizens as the highest preference. Since its inception, as many as 80 countries have drawn inspiration from this statute to ascribe data protection frameworks applicable to their nation states and citizens based on GDPR.

The EU is no stranger to internet legislation and regulation building and has kept up this trend even as global headwinds in technology have a varied impact across geographies. Key Internet-based legislations emerging from Brussels – the de-facto EU capital – are in areas of e-governance, cybersecurity, online terrorism, and encryption. In December 2020, the European Commission proposed two legislative initiatives – the Digital Services Act (DSA) and the Digital Markets Act (DMA) which are essentially focused on upholding the fundamental rights of users and establish a level, competitive playing field – both in the European Single Market and globally.

The latest from EU’s policy stable is the Regulatory Framework on AI. This regulatory proposal aims to provide AI developers, deployers and users with clear requirements and obligations regarding specific uses of AI. At the same time, the proposal seeks to reduce administrative and financial burdens for businesses, especially small and medium-sized enterprises (SMEs). Like most policies, this one too highly prioritizes the safety and fundamental rights of Internet users, while making a case for innovation investment and economic growth in the EU.

Question is – just how much impact does this policy hold? Let’s take a look at some of its features as well as the criticisms it has garnered:

The proposed rules address risks specifically created by AI application, suggest a list of high-risk applications, set clear requirements for AI systems for high-risk applications, define specific obligations for AI users and providers of high risk applications, propose a conformity assessment before the AI system is put into service or placed on the market, stress on enforcements after such an AI system is placed in the market and advocates for a governance structure at European and national level.

There are rules for high-risk based AI systems – here they refer to systems that impinge on established fundamental rights, and covers remote biometric ID systems, safety in critical infrastructure, eligibility for public benefits, credit scoring and dispatching emergency services. In these high-risk endeavours, a compliance-based structure should be put in place and will be subject to strict vetting before taken to market. On the other hand, low-risk endeavours will not be subject to high-level scrutiny. The rules are based in the tenet that AI systems are incapable of making decisions that directly impact users and therefore, a human oversight is essential before commercializing these applications for markets.

(Rule-based approach to mitigate risk, as shown by European Commission)

With all laws, their success depends on enforcement. In this case, national supervisory authorities in EU nations are expected to lead market surveillance of AI systems. However, a member state or even the European Commission could object to decisions made by another member state, and this could lead to EU-wide consultations and possible reversal/alteration of the policy. To oversee these activities, a national level European Artificial Intelligence Board will be created, chaired by the European Commission and with representatives from every member state’s national advisory board and the European Data Protection Board.

And the kicker is this – member states can impose a hefty fine of up to 30 million Euros or 6% of a company’s annual turnover (whichever is higher) on entities that market AI systems by violating the rules-based assessment metric.

Some glaring omissions include the disparate collection of data, which could adversely impact protected classes, children and disabled – although this information is to be used to assess the extent of bias and discrimination. Moreover, the data collected that displays bias will not be shared with the sources of this data but will be provided to a regulator upon being asked.

And this policy doesn’t hold Big Tech accountable – a gripe shared by many like Thomas Metzinger, a philosopher in the University of Mainz. In the journal Nature, Harvard law professor goes on to say that industry has largely ‘mobilised to shape the science, morality and laws of AI’

What Next?

Currently, the regulations could be implemented by the second half of 2022 in a transitional period, according to the European Commission. In this period, standards would be mandated and developed, and the governance structures set up would be operational. The second half of 2024 is the earliest time the regulation could become applicable to operators with the standards ready and the first conformity assessments carried out.

EU continues to be a harbinger of Internet policy, and whether one likes them or not, countries do take cognizance of the ‘EU approach’ of policy making for the Internet while making their own rules. There is much to be debated on the nature of this new framework – some of the concerns about Big Tech’s lack of accountability and data collection practices should be seriously addressed by academics and researchers. However, the EU way has most notably opened the doors on the discussions surrounding regulating Artificial Intelligence. By itself, AI regulation isn’t a negative consequence, but it is also not a linear concept. Countries now need to explore regulatory frameworks in accordance to driving innovation, and consequently economic growth on the back of AI.