European Union: Entry into force with grace period of AI Act including data protection measures for "high-risk" AI systems

On 1 August 2024, the regulation laying down harmonised rules on Artificial Intelligence (Artificial Intelligence Act) enters into force, 20 days following its publication in the Official Journal, with a grace period on its implementation. The AI Act is based on a risk-based management approach and introduces data protection obligations depending on the level of risk associated with the AI system. The Act includes a ban on cognitive behavioural manipulation, the untargeted scrapping of facial images from the internet, social scoring, biometric categorisation to infer sensitive data, such as sexual orientation or religious beliefs, and some cases of predictive policing for individuals. Further, the Act establishes certain data governance practices for training and testing data, such as the fact that they should be relevant, accurate, and sufficiently representative. The Act is generally implemented on 2 August 2026, though some sections are subject to variable implementation periods. As a result, the prohibition of the listed AI practices already apply from 2 February 2025. For high-risk AI systems according to Article 6(1), the data protection measures only enter into effect from 2 August 2027.