In 2021, countries in EMEA continued to focus on the legal constructs around artificial intelligence (“AI”), and the momentum continues in 2022. The EU has been particularly active in AI—from its proposed horizontal AI regulation to recent enforcement and guidance—and will continue to be active going into 2022. Similarly, the UK follows closely behind with its AI strategy and recent reports and standards. While our team monitors developments across EMEA, this roundup will focus on summarizing the leading developments within Europe in 2021 and what that means for 2022.

The Proposed EU AI Act

In April 2021, the European Commission published its proposed Regulation Laying Down Harmonized Rules on Artificial Intelligence (the “Commission Proposal”). The Commission Proposal sets out a horizontal approach to AI regulation that establishes rules on the development, placing on the market, and use of artificial intelligence systems (“AI systems”) across the EU (see our previous blog post here). The proposal is currently under negotiation between the co-legislators, the European Parliament and the Council of the European Union (“Council”).

Slovenia held the Council Presidency for the last six months of 2021, and France assumed the Presidency in January 2022. During its Presidency, Slovenia published a partial compromise text of the EU AI Act, focusing on edits to the classification of high-risk AI systems. The French Presidency circulated additional proposed amendments on 13 January 2022, focusing on the requirements for high-risk AI systems. Notable amendments in each version include:

Slovenian Council Presidency:

  • Scope. New Article 52a (and corresponding Recital 70a) would clarify that “general purpose AI systems” do not fall within the scope of the Act. Although the compromise text does not define this term, Recital 70a states they are “understood as AI system[s] that are able to perform generally applicable functions such as image / speech recognition, audio / video generation, pattern detection, question answering, translation etc.”
  • Social scoring. Article 5(1)(c) (and corresponding Recital 17) would extend the prohibition on AI systems used for social scoring as set out in the Commission Proposal, which is limited to public authorities, to private actors as well. Also, while the Commission Proposal limits the prohibition to social scoring used to evaluate the “trustworthiness” of natural persons, the Slovenian Presidency text removes this limitation, which would thereby broaden the scope of the prohibition.
  • Biometric identification. Amendments to Article 3(33) would broaden the definition of “biometric data” to include systems that do not “uniquely” identify people, while other amendments would make the Act apply not only to “remote” biometric identification systems, but to biometric identification systems broadly. For instance, Article 5 would prohibit law enforcement use of any biometric identification systems in publically available spaces, subject to certain exceptions.
  • High risk AI systems. Annex III would add to the list of AI systems qualifying as “high risk” those that are intended to be used to control “digital infrastructure” or “emissions and pollution.”

French Council Presidency:

  • Risks. Amendments to Article 9 (Risk management system) would clarify that high-risk AI systems must have a risk-management system allowing for the identification of known / foreseeable risks “most likely to occur to health, safety and fundamental rights in view of the [system’s] intended purpose.”
  • Trade-offs. Amendments to Article 9(3) specify that risk-management measures must aim to “minimis[e] risks more effectively while achieving an appropriate balance in implementing the measures to fulfil those requirements.”
  • Error tolerance. Amendments to Article 10(3)—concerning training, validation, and testing data—slightly relax the requirement that the data be “free of errors and complete”, now requiring data sets to be so “to the best extent possible.”
  • Human oversight. Amendments to Article 14(4) make clear that the supplier of high-risk AI systems must enable the system to allow for human oversight by natural persons.

The EU AI Act is also being considered by the European Parliament. Although it is listed as a high-priority piece of legislation in the Commission’s 2022 work program (see here), it may be some time before it is finalized.

EU Recommendations, Consultations and Reports on AI

In addition to activity on the EU AI Act, the EU has published additional recommendations, consultations and reports on AI:

  • The Council of Europe published a Recommendation (see here) that responds to the changes in profiling techniques in the last decade. It recognizes that profiling can impact individuals by placing them in predetermined categories without their knowledge and that the lack of transparency can pose significant risks to human rights. The recommendation encourages EU Member States to promote and make legally binding the use of a ‘privacy by design’ approach in the context of profiling, and sets out additional safeguards that should be imposed on profiling.
  • The European Commission published a public consultation (see here) to adapt product liability rules to ensure that they sufficiently protect consumers against the harms of new technologies, including AI. The consultation is split into two parts and gathers views on: (i) how to ensure that consumers and users continue to be protected against the harm caused by AI systems, particularly with respect to compensation, and (ii) how to address the problems purportedly linked to certain types of AI (e.g., where there is difficulty with identifying the potentially liable person, or proving that person’s fault or proving a product’s defect and the causal link with damage). The consultation period has ended, and the Commission intends to propose an update to the Product Liability Directive by the end of the third quarter of 2022.
  • On 6 October 2021, the European Parliament voted in favor of a resolution banning the use of facial recognition technology (“FRT”) by law enforcement in public spaces (see our previous blog post here). The resolution forms part of a non-legislative report on the use of AI by the police and judicial authorities in criminal matters (“AI Report”) published by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) in July 2021. The AI Report will be sent to the European Commission, which has three months to either (i) submit, or indicate it will submit, a legislative proposal on the use of AI by the police and judicial authorities as set out in the AI Report; or (ii) if it chooses not to submit a proposal, explain why.

Enforcement on Clearview AI

From an enforcement perspective, in 2021, a number of EU data protection authorities (“DPAs”) have taken enforcement actions on specific AI use cases, particularly relating to FRT. The most significant action has been the investigation against Clearview AI Inc. (“Clearview AI”) in relation to their personal information handling practices, especially the company’s use of data scraped from the internet and the use of biometrics for facial recognition. The UK Information Commissioner’s Office (“ICO”) and the Office of the Australian Information Commissioner (“OAIC”) conducted a joint investigation. In November 2021, the ICO issued a provisional intention to fine Clearview AI over £17 million for its breach of data protection laws, and its final decision is expected in 2022 (see here). Additionally, the French privacy regulator ordered Clearview AI to cease collecting images from the internet and to delete existing data within two-months (see here in French). Due to the significant processing of personal data involved in AI, DPAs have taken an interest in applying the GDPR to AI.

AI Activity in the United Kingdom

Following the UK’s exit from the EU on 1 January 2021, the UK government announced plans to reform UK data protection law and published its own National AI Strategy in September 2021 (see here and our previous blog post here). According to the UK’s AI strategy, the Office of AI is expected to publish a White Paper on regulating AI in early 2022. Further to this, the UK government has published a number of reports and standards relating to AI, for example:

  • The UK government’s Central Digital and Data Office (“CDDO”) published the Algorithmic Transparency Standard (see here) as part of the UK AI Strategy’s commitment to delivering greater transparency on algorithm-assisted decision making in the public sector. The Algorithmic Transparency Standard seeks to help public sector organizations provide clear information about the algorithmic tools they use, and why they use them.
  • The UK government’s Centre for Data Ethics and Innovation (“CDEI”) published an independent report setting out the roadmap to an effective AI assurance ecosystem (see here).
  • A new AI Standards Hub was launched by the Office of AI, supported by the British Standards Institution, in January 2022 (see here) to develop AI standards.

*          *          *

We will continue to closely monitor the regulatory and policy developments on AI in EMEA – please watch this space for further updates. For more information on developments related to AI and data privacy, please visit our AI Toolkit and our Data Privacy and Cybersecurity website.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lisa Peets Lisa Peets

Lisa Peets is co-chair of the firm’s Technology and Communications Regulation Practice Group and a member of the firm’s global Management Committee. Lisa divides her time between London and Brussels, and her practice encompasses regulatory compliance and investigations alongside legislative advocacy. For more…

Lisa Peets is co-chair of the firm’s Technology and Communications Regulation Practice Group and a member of the firm’s global Management Committee. Lisa divides her time between London and Brussels, and her practice encompasses regulatory compliance and investigations alongside legislative advocacy. For more than two decades, she has worked closely with many of the world’s best-known technology companies.

Lisa counsels clients on a range of EU and UK legal frameworks affecting technology providers, including data protection, content moderation, artificial intelligence, platform regulation, copyright, e-commerce and consumer protection, and the rapidly expanding universe of additional rules applicable to technology, data and online services.

Lisa also supports Covington’s disputes team in litigation involving technology providers.

According to Chambers UK (2024 edition), “Lisa provides an excellent service and familiarity with client needs.”

Photo of Marty Hansen Marty Hansen

Martin Hansen has over two decades of experience representing some of the world’s leading innovative companies in the internet, IT, e-commerce, and life sciences sectors on a broad range of regulatory, intellectual property, and competition issues, including related to artificial intelligence. Martin has…

Martin Hansen has over two decades of experience representing some of the world’s leading innovative companies in the internet, IT, e-commerce, and life sciences sectors on a broad range of regulatory, intellectual property, and competition issues, including related to artificial intelligence. Martin has extensive experience in advising clients on matters arising under EU and U.S. law, UK law, the World Trade Organization agreements, and other trade agreements.

Photo of Sam Jungyun Choi Sam Jungyun Choi

Recognized by Law.com International as a Rising Star (2023), Sam Jungyun Choi is an associate in the technology regulatory group in Brussels. She advises leading multinationals on European and UK data protection law and new regulations and policy relating to innovative technologies, such…

Recognized by Law.com International as a Rising Star (2023), Sam Jungyun Choi is an associate in the technology regulatory group in Brussels. She advises leading multinationals on European and UK data protection law and new regulations and policy relating to innovative technologies, such as AI, digital health, and autonomous vehicles.

Sam is an expert on the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act, having advised on these laws since they started to apply. In recent years, her work has evolved to include advising companies on new data and digital laws in the EU, including the AI Act, Data Act and the Digital Services Act.

Sam’s practice includes advising on regulatory, compliance and policy issues that affect leading companies in the technology, life sciences and gaming companies on laws relating to privacy and data protection, digital services and AI. She advises clients on designing of new products and services, preparing privacy documentation, and developing data and AI governance programs. She also advises clients on matters relating to children’s privacy and policy initiatives relating to online safety.

Photo of Marianna Drake Marianna Drake

Marianna Drake counsels leading multinational companies on some of their most complex regulatory, policy and compliance-related issues, including data privacy and AI regulation. She focuses her practice on compliance with UK, EU and global privacy frameworks, and new policy proposals and regulations relating…

Marianna Drake counsels leading multinational companies on some of their most complex regulatory, policy and compliance-related issues, including data privacy and AI regulation. She focuses her practice on compliance with UK, EU and global privacy frameworks, and new policy proposals and regulations relating to AI and data. She also advises clients on matters relating to children’s privacy, online safety and consumer protection and product safety laws.

Her practice includes defending organizations in cross-border, contentious investigations and regulatory enforcement in the UK and EU Member States. Marianna also routinely partners with clients on the design of new products and services, drafting and negotiating privacy terms, developing privacy notices and consent forms, and helping clients design governance programs for the development and deployment of AI technologies.

Marianna’s pro bono work includes providing data protection advice to UK-based human rights charities, and supporting a non-profit organization in conducting legal research for strategic litigation.

Photo of Madelaine Harrington Madelaine Harrington

Madelaine Harrington is an associate in the technology and media group. Her practice covers a wide range of regulatory and policy matters at the cross-section of privacy, content moderation, artificial intelligence, and free expression. Madelaine has deep experience with regulatory investigations, and has…

Madelaine Harrington is an associate in the technology and media group. Her practice covers a wide range of regulatory and policy matters at the cross-section of privacy, content moderation, artificial intelligence, and free expression. Madelaine has deep experience with regulatory investigations, and has counseled multi-national companies on complex cross-jurisdictional fact-gathering exercises and responses to alleged non-compliance. She routinely counsels clients on compliance within the EU regulatory framework, including the General Data Protection Regulation (GDPR), among other EU laws and legislative proposals.

Madelaine’s representative matters include:

  • coordinating responses to investigations into the handling of personal information under the GDPR,
  • counseling major technology companies on the use of artificial intelligence, specifically facial recognition technology in public spaces,
  • advising a major technology company on the legality of hacking defense tactics,
  • advising a content company on compliance obligations under the DSA, including rules regarding recommender systems.

Madelaine’s work has previously involved representing U.S.-based clients on a wide range of First Amendment issues, including defamation lawsuits, access to courts, and FOIA. She maintains an active pro-bono practice representing journalists with various news-gathering needs.