EU Bans AI Systems Deemed ‘Unacceptable Risk’: A Major Shift in Technology Regulation

As of Sunday, the European Union has introduced significant regulations aimed at controlling the use of AI systems that pose an “unacceptable risk” to individuals and society. This move is part of the EU’s comprehensive AI regulatory framework, known as the EU AI Act, which was approved last March after extensive deliberation.

Overview of the EU AI Act

The EU AI Act officially came into effect on August 1, and February 2 marks the first compliance deadline for organizations operating within the EU. This legislation aims to regulate various AI applications that interact with people, covering a wide range of use cases from consumer technology to physical environments.

Risk Classification Under the EU AI Act

The Act categorizes AI systems into four distinct risk levels:

• Minimal Risk: Examples include email spam filters, which will not face any regulatory oversight.
• Limited Risk: Such as customer service chatbots, which will be subject to light-touch oversight.
• High Risk: AI systems used for healthcare recommendations will encounter stringent regulations.
• Unacceptable Risk: These applications will be completely banned, and this category is the focus of the current compliance deadline.

Prohibited AI Activities

The EU has identified several AI applications that fall under the “unacceptable risk” category. These include:

• AI used for social scoring based on an individual’s behavior.
• Manipulative AI that influences decisions deceptively.
• AI exploiting vulnerabilities such as age or socioeconomic status.
• Predictive AI assessing individuals based on appearance.
• Biometric AI that infers personal characteristics, including sexual orientation.
• Real-time biometric data collection in public spaces for law enforcement.
• AI that attempts to assess emotions in educational or workplace settings.
• Facial recognition technologies that scrape images from the internet or surveillance footage.

Organizations found using these prohibited applications may face hefty fines—up to €35 million (approximately $36 million) or 7% of their annual revenue, whichever is greater.

Compliance Deadlines and Future Considerations

While the February 2 deadline is crucial, Rob Sumroy, head of technology at Slaughter and May, emphasized that the next significant milestone will occur in August. By this date, the responsible authorities will be identified, and enforcement mechanisms will be activated.

Industry Response and the EU AI Pact

In a proactive step, over 100 companies, including major tech firms like Amazon, Google, and OpenAI, signed the EU AI Pact last September. This voluntary agreement aimed to align with the principles of the AI Act ahead of its enforcement. Notably, some companies like Apple and Meta chose not to participate.

Potential Exemptions to the AI Act

Despite its strict regulations, the EU AI Act allows for certain exemptions. For instance:

• Law enforcement may use specific biometric systems for targeted searches in critical situations, provided they receive proper authorization.
• Systems that assess emotions in workplaces or schools may be permitted if there is a legitimate medical or safety reason.

The European Commission plans to release additional guidelines in early 2025 after consulting with stakeholders. However, clarity on how existing laws may interact with the AI Act remains uncertain.

Conclusion

As organizations prepare for the upcoming compliance deadlines, understanding the interconnected nature of AI regulations, such as GDPR and NIS2, will be essential. The landscape of AI regulation in the EU is evolving, and companies must stay informed to navigate these challenges successfully.