What is the EU AI Act and why should you care about it?

post by MathiasKB (MathiasKirkBonde) · 2021-09-10T07:47:56.995Z · EA · GW · 5 comments

Contents

  What are the act's important points?
    for 'high-risk' AI
    of the European AI Board
    ban of certain AI uses
    systems must make themselves known
  Why should you care about the AI Act?
    AI Act is a smoke-test for AI governance
    Brussels Effect
    AI Act lays the foundation for future AI regulation
    passed the legislation is unlikely to see major changes or updates
  Responses from the EA community
    points often emphasized
    suggested improvements
  What is next
None
5 comments

On April 21 the European Commission announced their proposal for European regulation of AI

The proposal strives to be for AI what GDPR has been for data protection.
Over the coming years the proposal will go through multiple readings in the Parliament and Council, where modifications can be proposed to the act before it is finally adopted or dismissed.

After the AI Act was announced, most attention fell on the act's wide definition of AI and blanket bans on 'manipulative AI'. Unfortunately this focus has led many to miss out on the most important points of the act.

I noticed there were no forum posts that would help someone get up to speed on the act. In this post I will summarise the act's most important points, how it may affect the development of transformative AI, as well as the EA community's response to the proposal.

What are the act's important points?

I below outline what I deem the most important points of the regulation, based on their effect on the development of transformative AI. I skip lightly over many details of the act, such as regulatory sandboxes and special rules for biometric systems, to keep the summary brief.

The act will apply to all EU countries and supersede any conflicting national law. Because of the act's broad definition of AI, it is difficult for any EU countries to make laws on AI which would not be in conflict.

It does not apply to military use of AI. Here countries are free to do as they see fit.

Rules for 'high-risk' AI

The Act lists a series of 'high-risk' areas. Systems operating in a high-risk area are considered high-risk and must be reviewed and approved before they can be placed on the market. This means that the AI Act's regulation will not apply to AI developed and used internally by companies. High-risk systems include everything from AI management of electricity grids, to AI that determines who to promote or fire.

Areas that are considered high-risk where certain uses are restricted are the following:

A red thread across the systems which are considered high-risk, is that they make decisions which significantly affect the lives of citizens. The full list of high-risk systems is two pages and can be read in Annex III.

After the law is passed, the commission can add new uses of AI that must be approved as long as they fall under any of the existing high-risk areas.

For a high-risk system to be approved the provider must submit detailed technical documentation for the system.¹ Requirements for technical documentation include:

In other words the act creates a large, (partially) updatable list of areas where nobody is allowed to deploy AI without explicitly getting approval, which you only get by living up to numerous safety requirements of which one is a working off-switch. High-risk systems not only need approval, but must also be continuously monitored after they are placed on the market.

Establishment of the European AI Board

To enforce this, the act requires new institutions to be created.

The national supervisory authorities are responsible for approving high-risk systems and doing post-market monitoring to ensure approved systems are working as intended and pose no threat to EU citizens.

If two national supervisory authorities get into a dispute over whether a system should be approved or not, the European AI Board steps in and makes a final decision. The European AI Board is also responsible for overseeing and coordinating the national supervisory authorities.

Blanket ban of certain AI uses

Social scoring systems by governments are entirely banned.

The EU Act also bans use of AI that "deploys subliminal techniques beyond a person’s consciousness in order to materially distort a person’s behaviour in a manner that causes or is likely to cause that person or another person physical or psychological harm"

If you are finding it unclear exactly which AI systems would fall under this definition you are picking up on an important EU practice. By leaving law deliberately vague, it becomes the job of the European Court of Justice and standardisation bodies to determine what systems fall under this definition when specific cases of accused misuse are brought to court. This is done with the belief that specific definitions fall prey to loopholes, whereas the court is better able to punish only those who go against the 'spirit' of the law.

A less flattering analysis is that the ban is window dressing. The commission has struggled to come up with any examples of a banned use case that wouldn't already considered illegal by other EU regulation.²

AI systems must make themselves known

Any AI system that interacts with humans, must make it clear that it is an AI.
A customer-service chatbot pretending to be a human agent will, for example, be illegal.

Users of an AI system which generates deepfakes or similar content must disclose to their audience that the content is fake.

Users of emotion recognition or biometric categorization systems must disclose this to the subjects that they are using the system on.

Why should you care about the AI Act?

The AI Act is a smoke-test for AI governance

The AI act creates institutions responsible for monitoring high-risk systems and possibly broader monitoring of AI development in Europe. Doing so effectively is a monumentally difficult task that takes trial and error to do well.

If/When the monitoring of transformative AI systems becomes necessary, the AI Act ensures that the European Union will have institutions with plenty of practice. Other countries looking to implement similar oversight measures will also be able to learn from the AI Board's successes and failures.

The Brussels Effect

The EU AI Act is the single biggest piece of AI legislation introduced to the world yet. If history is anything to go by, there are good reasons to believe the act will influence the development of AI and AI legislation the world over.

When GDPR was introduced it was cheaper for Microsoft to just implement GDPR worldwide than to create a separate European version of every service they offer. Similarly we can expect it to be cheaper for AI developers serving the European market to ensure all systems are developed to be compliant with European regulation. This phenomenon has been dubbed the Brussels Effect.

The extent to which the Brussels Effect will affect the development of transformative AI is conditional on the continuity of AI takeoffs.

If transformative AI is brought about by a continuous stream of incremental improvements, we can expect development to be constrained by nearterm profits. Companies choosing to forego the European market face a competitive disadvantage. In such a world European laws and regulation is likely to play a significant international role.

In a world where transformative AI is brought about by discontinuous jumps in capability, we are much more likely to see races between private companies and governments alike all gunning to be first. In this world the European Union will struggle to be internationally influential.

I have written a rough analysis of why this is which can be read here.

The AI Act lays the foundation for future AI regulation

The AI act sets up institutions that will play an important role for all future regulation. Lawmakers around the world will draw lessons from its successes and failures. An AI act that is a smashing success moves the overton window, and enables future regulation. The act sets important legal precedents, for example that high-risk AI should be continuously monitored to prevent harm.

Once passed the legislation is unlikely to see major changes or updates

Flagship regulation of the EU such as GDPR and REACH (chemical regulation) tend not to see major updates even decades after having been passed.

Whatever act is passed, Europe will be stuck with for a while if going by historical precedent. Though that historical precedent may not be particularly applicable. If AI starts rapidly and visibly transforming society, I doubt the commission will be shy to suggest large updates to the regulation.

Responses from the EA community

The AI Act has received mixed responses within the EA community. I've summarized what I view as the main positive points emphasized by the EA community and the main areas that need improvements.

Positive points often emphasized

Commonly suggested improvements

You can read the public responses from various EA and EA Adjacent organisations here:

What is next

Insofar as the AI Act matters, now is the time to act. The EA community is generally hesitant to engage directly with policy for good reason. We barely know what good AI policy looks like, and we would preferably wait with acting before we know how to act and the consequences of doing so.

But the rest of the world is not static and will adopt policy even if we would prefer to wait. The choice is not to engage with the act now or later, it is to engage with the act now or never.

The AI act is not yet final, but the European Union is likely to see some version of this act passed in the coming years. Name of the game for EA organisations engaged with the act is generally to push for improvements similar to the commonly suggested ones, but there is much more work which can be done.

If the act is passed EA's wanting to work with AI in the European Union, should keep an eye out for new opportunities such as working in the EU AI Board or national supervisory authorities. This may be particularly impactful in the early years of these institutions when the culture and practices are particularly malleable.

 

 

¹ The full list of required technical documentation can be found in annex IV

² Demystifying the AI act argues this in greater detail.

5 comments

Comments sorted by top scores.

comment by Risto Uuk · 2021-09-13T13:22:05.650Z · EA(p) · GW(p)

Thank you for writing this summary!

I wanted to share this new website about the AI Act we have set up together with colleagues at the Future of Life Institute: https://artificialintelligenceact.eu/. You can find the main text, annexes, some analyses of the proposal, and the latest developments on the site. Feel free to get in touch if you'd like to discuss the proposal or have suggestions for the website. We'd like it to be a good resource for the general public but also for people interested in the regulation more closely. 

comment by HaydnBelfield · 2021-09-13T09:48:14.025Z · EA(p) · GW(p)

Excellent overview, and I completely agree that the AI Act is an important policy for AI governance.

One quibble: as far as I know, the Center for Data Innovation is just a lobbying group for Big Tech - I was a little surprised to see it listed in "public responses from various EA and EA Adjacent organisations".

Replies from: MathiasKirkBonde
comment by MathiasKB (MathiasKirkBonde) · 2021-09-13T15:30:22.751Z · EA(p) · GW(p)

I'm not very familiar with the Center for Data Innovation, thank you for pointing this out!

I included their response as its author is familiar with EA and well reasoned. I also felt it would be healthy to include a perspective and set of concerns vastly different from my own, as the post is already biased by my choice of focus.

That being said I haven't gotten the best impression by some of the Center for Data Innovation's research. As far as I can tell their widely cited analysis which projects the act to cost €31 billion has flaw in its methodology which results in the estimate turning out much higher. In their defense, their cost-analysis is also conservative in other ways, leading to a lower number than what might be reasonable.

comment by Lukas_Finnveden · 2021-09-11T09:35:26.277Z · EA(p) · GW(p)

Thank you for this! Very useful.

The AI act creates institutions responsible for monitoring high-risk systems and the monitoring of AI progress as a whole.

In what sense is the AI board (or some other institution?) responsible for monitoring AI progress as a whole?

Replies from: MathiasKirkBonde
comment by MathiasKB (MathiasKirkBonde) · 2021-09-11T11:22:01.944Z · EA(p) · GW(p)

Sorry I should have said "monitoring AI progress in Europe as a whole" and even then I think it might be misleading.

One of the three central tasks of the AI board is to 'coordinate and contribute to guidance and analysis by the Commission and the national supervisory authorities and other competent authorities on emerging issues across the internal market with regard to matters covered by this Regulation;'

For example, if a high-risk AI system is compliant but still poses a risk the provider is required to immediately inform the AI Board. The national supervisory authorities must also regularly report back to the AI Board about the results of their market surveillance and more.

So the AI Board both gets the mandate and the information to monitor how AI progresses in the EU. And they have to do so to carry out their task effectively even if it's not directly stated anywhere that they are required to do so.

I hope this clears it up, I'm happy that you found the post useful!