A GDPR for artificial intelligence?

The various institutions of the EU aim to be the rule makers and standard bearers for artificial intelligence and associated technology (“AI”). One AI use case which has come under particular scrutiny is that of facial recognition. Since we last wrote on the subject, it has become increasingly clear that the European Commission will take a restrictive approach to the use of facial recognition technology, especially when such use is in public areas.

Earlier this year in April, the European Commission led the way in this area suggesting a legal framework for the regulation of facial recognition and certain types of AI systems. The draft legislation (also explained in a press release here) looks to create “trustworthy AI” which protects the fundamental rights of citizens while strengthening AI investment and innovation across the EU.

The measures would restrict the use of live facial recognition to a very narrow set of scenarios where this would be deemed essential from a public interest perspective; such as the search for missing children or the policing of terrorist incidents. Even in such cases, the use of real-time facial recognition or “remote biometric identification systems” as it is called in the draft legislation, would need to be subject to an “ex-ante third party conformity assessment”, i.e. pre-approved by a judge or a national authority.

The proposal also outlines a risk-based approach to AI, with AI use cases ranked from unacceptable risk to high risk, through to minimal risk uses. Unacceptable risk AI (such as social scoring practices) would be banned, while high risk AI (e.g. live facial recognition and credit scoring) would be subject to strict obligations prior to its deployment in the market.

Fines under the proposed legislation could be up to €30m or 6% of a company’s global revenue, whichever is higher – an even greater threshold than the GDPR €20m/4% fine ceiling.

Moreover, the draft legislation specifically states that it is “without prejudice and complements” the GDPR. At the intersection between AI and data protection, such as employment screening, where personal information is collected and then processed via an AI-enabled software, non-compliance with either set of rules could push the fine ceiling significantly upwards to a combination of the €30/6% and €20/4%. 

Finally, the proposal caters for the creation of a European Artificial Intelligence Board which would be tasked with overseeing the implementation of AI regulation. This would be akin to the European Data Protection Board, its GDPR equivalent.

As with GDPR, it is clear that the legislation (if adopted) would create much to be considered by those companies creating and marketing AI systems. The European Commission is determined to be the standard bearer in AI regulation and lead the way as it has done with the GDPR. Whether AI regulation will be a positive for the technology and innovation is obviously yet to be seen, but it is clear that the rights of EU citizens will be at the heart of any regulation in this area.