Briefly

TRANSCRIPT

00:10
Adam Stofsky
So today we're going to talk about the EU AI Act. Why do people need to know or think about this law?

00:17
Julia Apostle
That's a very good place to start. So what is the AI Act? It is a European regulation, first of all. So ostensibly it only applies in Europe, but it actually does have some extraterritorial effects to the extent that providers of AI systems that are going to be used in Europe are going to be covered by the Act. So therefore anyone that's targeting the EU market with its AI systems or possibly AI models or using AI in Europe on behalf of their business should be aware of the act and what it might mean for them and their operations and their either development or deployment of AI. That's the high level in terms of what it actually does.

01:04
Julia Apostle
It adopts a risk based approach to regulating AI, which means that in theory and you know, we'll see in practice, as the act is implemented over time, only the most high risk AI systems are subject to obligations and only specific types of AI models are subject to obligations. So therefore, if an AI system doesn't fit within one of the risk categories or an AI model is not one of the, you know, the type of model that's regulated, and those are so called general purpose AI models, what we would think of as large frontier or foundation models, then it won't be covered. And the reality is that most AI systems and most AI models are going to be out of scope. That's an important. Because it's getting a lot of hype.

01:53
Adam Stofsky
Right, right. So this is designed to regulate the sort of most cutting edge, influential and I guess, risky AI systems.

02:04
Julia Apostle
Yeah, keeping the risky. Because the point of the act is also to encourage innovation. Right. To create a sense of legal certainty that only the highest risk AI systems will be subject to regulation. So you don't have to wonder like, where am I going to fall? And therefore pursue innovation, you know, with a sense of relief or reassurance. And another key objective of the law and most of the European digital regulations is to sort of harmonize the playing field in terms of applicable rules. Because the worst case scenario would be to have 27 different European jurisdictions all taking a kick at the can of regulating AI risk.

02:49
Julia Apostle
So the European Commission has sought to preempt sort of a fractured approach by implementing this regulation, which in the long run will go a long way to helping innovation if developers of those high risk AI systems or models only have to comply with one set of rules. At least that's theory.

03:08
Adam Stofsky
So does this mean that like most companies are Just off the hook and don't have to think about this at all.

03:13
Julia Apostle
If only it were that simple. So the, I mean, so what matters is, you know, if you're using or developing an AI system, you still need to know, am I deploying it in Europe? If yes, is it caught by the risk categories? Because the act sets out specific categories of risk. There's actually some prohibited types of systems, which is, you know, if your AI system is covered by a prohibited use case, then you can't even put it on the market in Europe. So these are things that a company wants to know. And there are some risk categories that would cover systems that are widely used within organizations, in particular in relation to human resources.

03:58
Adam Stofsky
So can you say a bit more about that?

04:00
Julia Apostle
Yeah. So one of the high risk categories that will have the broadest application potentially are AI systems that are used to make hiring and managerial decisions. So, you know, there are a lot of those systems, CV scanning, maybe performance evaluation and so forth.

04:19
Adam Stofsky
So recruiting and advertising for jobs, that sort of thing.

04:21
Julia Apostle
Yeah, anything that can lead to a decision that has an impact on a person's rights or livelihood in a sort of employment context is likely to be considered high risk. We're waiting for more guidance on this, and the guidance will help clarify the exact scope of that risk category. But that's one where a lot of organizations, even ones operating internationally, may be impacted. Because if it's an international organization, even if the HR department is located outside of Europe, if the HR department outside of Europe is using a system that makes decisions in relation to people who are hired, fired or otherwise managed in Europe, then that AI system might be caught.

05:09
Adam Stofsky
So in other words, I know there's legal definitions of these things we won't get into now, but if you make the AI system or if you kind of use it to make important decisions, those things are both covered potentially by the EU AI Act.

05:23
Julia Apostle
Yeah, that's the other important distinction. You're entirely correct is depending one's role in relation to the system, the obligations are different. So providers, those are the developers, have most of the obligations under the Act. Deployers of high risk AI systems also have some obligations, so you need to be aware of them in relation to transparency and oversight, but not as many as the providers. And everybody for now has an AI literacy obligation.

05:54
Adam Stofsky
Right, okay, that's interesting. So can you just, before we move on to the next question, can you just kind of sketch out a few more of the high risk categories or prohibited categories? You don't need to list all of Them, but just to give us some flavor.

06:09
Julia Apostle
Yeah, sure. So AI systems that are used for remote biometric identification, for example, for categorizing people based on biometric information in certain cases making decisions regarding health and life insurance coverage. Also systems that are used to dispatch emergency services, those sorts of things. AI systems used in law enforcement context for specific use cases like identifying or predicting the commission of criminal offenses, for example. Although some of those systems are also, you know, prohibited, subject to restrictions also. And yeah, that's, I mean, that's not an exhaustive list, but it's an example.

07:04
Adam Stofsky
So it's sort of obvious and intuitive in a way. But, but it's, it's good to always think about. All right. Is this particular use of AI likely to be considered high risk?

07:14
Julia Apostle
Yeah. Oh, also educational setting, that's another one. Decisions about access to training and education, that sits alongside the sort of the professional work case scenarios.

07:24
Adam Stofsky
Right. Okay. So I guess the area where this is likely touch most people's lives in the short term, I think is kind of all these different generative AI tools that people are using every day, often dozens of them in a day. How do you think about it?

07:42
Julia Apostle
Well, I'm glad you mentioned those tools specifically because sort of the generative AI tools are, you know, what we'd consider to be under the act, systems that interact with users or directly interact with users. And they are in their own category. Right. The, the European Commission refers to this as a risk category, but the AI act doesn't. It just says that certain other AI systems will have transparency obligations. And those, certain other systems are those that interact with human users and that are generating, you know, synthetic content like text, image, video and so forth.

08:19
Julia Apostle
And so there is one provision in the act that imposes requirements both on the developers of those systems and on their users in relation to transparency and making sure that users know when they're interacting with that kind of system and making sure that the content that's generated by those systems is sufficiently identifiable as AI generated throughout the sort of use lifecycle or the content lifecycle.

08:45
Adam Stofsky
So anything generated by AI has to be, I'm sure this is going to be way too general a question to answer, but has to be kind of labeled as made by AI or something like that.

08:56
Julia Apostle
Yeah, subject to. Exceptions are important. Right. But you know, like, you know, there's an exception for information that's published in the public interest where, like where there's a, where there is editorial oversight. Right. So a news organization that's publishing Edited articles online that may have been created with the assistance of AI won't necessarily need to be identified. There's also exceptions for artistic creations where, you know, marking it AI generated would completely interfere with the artistic nature of the work. But we have to look at the scope and the use case and so forth to be able to apply those exceptions.

09:47
Adam Stofsky
Got it. Okay, great. Last question just before we close up for today. Is this law like what's the timing? Is this law been passed? Is it in effect? What's the timeline?

09:58
Julia Apostle
It's a moving target. So this is the law has been adopted, parts of it are enforced and it's got a staggered implementation. Right. So there are some general provisions that are enforced. Obligations that have been imposed on general purpose AI model providers are technically in force in relation to models that were placed on the market or that will be placed on the market from the 2nd of August of last year. There is some grandfathering provisions as well. Right. In relation to both high risk AI systems and general purpose AI models. And then the bulk of the law's provisions are meant to come into Force on 2 August 2026. However, we haven't got into this, like what are the nature of the obligations that apply to high risk AI systems? Those obligations are backed by technical standards that are voluntary.

10:58
Julia Apostle
Those technical standards have not been fully drafted or adopted by the European Commission yet. So there are discussions ongoing right now and a proposal to extend the compliance period in relation to high risk AI systems until another year. So 2nd of August 2027. I don't know what exactly that would do to the grandfathering. Right. But we'll see. And notably the prohibitions are already in force. Right. So it's already from last year illegal to place certain types of AI systems on the market in here in Europe. Those would be ones, for example, that are so manipulative that they cause people to make decisions that cause them harm, that, you know, scrape the Internet for facial images to create massive facial recognition databases and other very high risk use cases. There's a limited number of those, but those are already enforced.

11:59
Julia Apostle
And we don't really expect any AI system to developer to be putting up their hands and say, oh my system is totally prohibited, I am taking it off the market. Those will probably be enforced on a sort of X post.

12:12
Adam Stofsky
Right. Wow. So much to say here. Obviously a lot's going to change in the next year and a half, so we'll continue to be updating our audience on this. But for now, thank you so much, Julia, really appreciate it.

12:23
Julia Apostle
Thanks Adam.