Jonathan Armstrong is a co-author of LexisNexis’ definitive work on technology law, “Managing Risk: Technology & Communications”, and a Professor at Fordham Law School, where he teaches a postgraduate course on international compliance.
He says, “It’s been a long haul for the EU to get the EU AI Act into law, but they have finally done it and the new law comes into effect on 1 August 2024, albeit with transitional provisions which mean that it won’t be in full effect immediately. It’s quite a hybrid piece of legislation based on the EU’s greatest hits – a mix of influences from previous EU laws like product safety, competition, and GDPR.
"The new Act is not perfect, and it will suffer from some of the same issues as GDPR. There’s likely to be under-resourced regulators, patchy enforcement, and a struggle to keep up with innovation. However, it has already changed the thinking around AI risks and responsibilities both in the EU and further afield.
"The EU claims it is the first-ever comprehensive legal framework on AI worldwide. However, it is important to note that before the EU AI Act, AI was not unregulated in the EU. The world of AI isn’t the Wild West.
Previous enforcement actions under GDPR include the Italian Data Protection Authority’s ban on the ReplikaAI chatbot, Google’s temporary suspension of its Bard AI tool rollout after Irish data watchdog intervention, Italian DPA fines for Deliveroo over AI algorithm use, and Clearview AI fines under GDPR, including from the Italian, French & Greek DPAs."
How can businesses ensure they comply?
"Preparation now is key. Organisations should assess their current use and planned use of AI systems. Conduct a compliance gap analysis and identify affected business areas."
"Building a bespoke Action Plan is essential. This includes training employees, raising awareness, and briefing boards on AI risks and opportunities. Board training is especially important – many boards just don’t have AI and technology skills on their current board. They’ll need to fix this to understand the risks and opportunities with AI. Opting out of AI isn’t an option either. Knowledge will be important.”
"Organisations need to take an inventory of their current AI systems to identify what AI systems are being used and their risk level. Additionally, drafting and amending internal policies and procedures on AI compliance, such as updating data breach plans to include EU AI Act reporting, is essential."
"Preparing materials and notices to inform your customers of your AI use to meet transparency and other legal obligations, creating templates for required documents under the EU AI Act, and suggesting standardised clauses or addendums to add to your client and supplier agreements are also recommended steps. Legal advice is recommended to ensure all steps are covered."
How will UK businesses be affected?
“The UK government’s position on AI regulation has evolved, with the Labour Government's recent King's Speech indicating plans for new AI legislation. This includes setting up a Regulatory Innovation Office to support existing regulators. The new law might be a simplified version of the EU AI Act.
Also, we shouldn’t expect the UK Government to wait and see what happens with EU enforcement when the EU AI Act comes fully into force. With capable people in government who understand AI, a willingness to regulate, and a healthy majority to get things done, the new government might move more quickly.”
For more information or to arrange an interview please contact me.