European Union: Reached Council and Parliament agreement on AI including data protection measures for "high-risk" AI systems

On 9 December 2023, the Parliament and the Council of the European Union adopted a provisional agreement on the proposal on harmonized rules on artificial intelligence (AI Act). The AI Act, built on a risk-based management approach, introduces data protection obligations for both AI providers and users, varying depending on the perceived level of risk associated with the AI system. The compromise agreement clarifies the definition of an AI system by aligning it with the OECD's proposed approach, seeking to differentiate AI from simpler software systems. The AI Act specifically exempts systems exclusively utilized for military or defence purposes and those employed solely for research, innovation, or non-professional personal use. The Act includes a ban on cognitive behavioural manipulation, the untargeted scrapping of facial images from the internet, social scoring, biometric categorisation to infer sensitive data, such as sexual orientation or religious beliefs, and some cases of predictive policing for individuals. Further, the Act establishes certain data governance practices for training and testing data, such as the fact that they should be relevant, accurate, and sufficiently representative. Following the provisional agreement, the next steps involve finalising the document and submitting it to the European Union Parliament and Council for adoption.