Legal implications of the Artificial Intelligence Act for cities, regions, and communities 20240619

00:00

a lot of uh discussion going on uh very

00:02

quickly the social scoring uh obviously

00:04

uh is something which is prohibited um

00:07

and for everybody uh so it's public

00:09

sector there was there from the

00:10

beginning but it has also been extended

00:11

to private sector now you know social

00:13

scoring is the the idea of China you

00:15

have thousand points at the beginning of

00:16

the year if you cross the traffic light

00:18

when it's red they take a point away and

00:19

if you have 500 points you're not

00:21

allowed to take the train anymore um we

00:23

also have biometric categorization

00:25

that's maybe uh not that relevant for

00:28

many people but it's important to have

00:29

that because there actually are people

00:31

trying to do that you know try by the

00:32

size of your your nose to identify

00:34

whether you're going to vote left or

00:35

right um um we have the face recognition

00:39

that's very important for public

00:40

authorities especially in in the law uh

00:43

law

00:44

enforcement um it is forbidden but it's

00:47

allowed under certain circumstances for

00:49

example if you have uh imminent threat

00:51

of terrorist attack uh what has changed

00:54

relative to the initial proposal is now

00:56

that now you basically need a warrant I

00:57

mean it's not called a warrant but you

00:58

need a uh prior authorization by by a

01:01

judge basically um so that it's possible

01:04

under certain circumstances but you know

01:06

it really has to be checked very

01:08

much uh individual predictive policing

01:10

uh that's also something obviously of

01:12

interest for for public

01:13

authorities is not allowed the focus

01:16

being on the individual so uh no

01:18

Minority Report you can still do

01:21

predictive predictive policing uh on the

01:23

base uh on the basis of place or time

01:25

you know you can still try to get your

01:27

AI to identify that the most dangerous

01:29

time of the year is the 31st August in

01:31

the afternoon and maybe the most

01:33

dangerous road right now is the cross of

01:34

rala and

01:36

pluma uh so that's uh continues to be

01:40

possible uh but it is it's a high risk

01:43

um same as biometic everything which is

01:45

forbid forbidden and if then there's an

01:46

exception that exception becomes

01:48

automatically high risk and I come back

01:50

later to what that actually means also

01:52

forbidden is um the is emotion

01:55

recogition in the

01:57

workplace um that figuratively speaking

01:59

so uh it means for workers so if you are

02:02

um you're not allowed to you know check

02:05

the the smile on the face of your

02:06

employee when they interact with

02:08

customers but you are actually allowed

02:10

to do that on the customer side um then

02:13

is high risk of course um and that of

02:15

course is something uh which applies to

02:18

to public institutions as well

02:19

especially also to education and so far

02:21

as the public um and then uh there's

02:24

exception for medical safety reasons so

02:25

you can still have your camera wake up

02:28

the lower driver before you fall to

02:29

sleep

02:30

uh and then last but not least

02:32

untargeted scraping um you're not

02:33

allowed to build up face spatial images

02:37

um just for fun you know it's that's the

02:39

Clear View case uh but it's also true

02:41

not just for the internet also for True

02:43

for CCTV so you can just use your camera

02:46

from um you know your CCTV in the train

02:49

station or in this big shopping center

02:51

or in in the in

02:53

the L in the um in the big building of

03:00

of the city uh just to build up a uh a

03:03

database of of face

03:05

images so that's roughly the provisions

03:08

you see it's still a very small number

03:09

it's like six it's a bit longer than it

03:11

was before but it's roughly roughly

03:13

stayed in a very small number especially

03:16

because that's a limited list of course

03:17

and the the allowed ones is an unlimited

03:21

list um the highrisk systems haven't

03:24

changed very much

03:26

um the uh one important thing to

03:29

remember here is that highrisk AI is

03:32

good AI so um the dividing line between

03:35

better and good AI is really between

03:37

forbidden and highrisk so the bad AI is

03:39

forbidden you may not do it highrisk

03:41

systems are potentially uh beneficial AI

03:44

there's nothing wrong with them however

03:47

because they can have a huge impact on

03:48

people's lives if they're not done

03:50

properly you really have to uh have

03:52

minimum quality uh criteria and that's

03:54

what the a activity does so the

03:57

high-risk use cases um they concern

04:00

certain critical infrastructure there's

04:01

there's a well actually three two

04:03

elements which are not on list here

04:05

first of all there's the kind of

04:06

manufacturing the the physical anything

04:09

which can kill or M you moves fast is or

04:10

made out of metal or has spikes motor

04:13

sauce cars or whatever if you put any uh

04:15

safety relevant uh AI into a safety

04:18

relevant component uh that AI has to be

04:20

verified you know if you have a put AI

04:24

into the braking system of your car uh

04:25

you need to verify the AI before you can

04:27

actually use it there uh if you put a in

04:29

the sound system you don't need to do it

04:30

because it's not

04:31

safy um and then there's the second list

04:35

um which is not here uh because it's a

04:37

bit long which is uh basically

04:39

everything in the migration Asylum

04:41

police enforcement area because there's

04:42

quite a lot of cases in there uh when I

04:45

say a lot it's still you know like 20 or

04:47

25 cases so it's still a limited number

04:49

but is quite a lot because not because

04:51

the people in that area do a bad job but

04:53

simply because if something goes wrong

04:55

then you know that's a much bigger

04:57

problem if you're talking about police

04:58

you know if you the system Mal functions

05:00

and you were put in excuse me uh to

05:03

interrupt you but there is a comment on

05:04

the chat uh could you please speak a bit

05:08

lower I think that we having a bit of

05:11

because it's a very complex and Rich

05:14

topic and it takes a bit of time also to

05:16

process the information thank you very

05:18

much and apologies for interrupting no

05:21

no

05:22

sorry um okay so um that's because in

05:27

the in the uh law enforcement area

05:29

there's just if something goes wrong the

05:32

consequences are much worse and if you

05:34

are put into jail for 3 days before the

05:36

AI system realizes it has made the

05:38

mistake that of course is a much bigger

05:40

problem than you know if some some other

05:42

AI system malfunctions and maybe you

05:44

know something in the factory goes

05:47

wrong uh but in addition to that um we

05:50

also have the list here the you need you

05:53

have certain critical

05:54

infrastructures um such as uh Road

05:58

Traffic Supply water Etc where of course

06:01

it's very important that these function

06:02

for society that's why they're high risk

06:05

uh but then you also have things like

06:06

educational and vocational

06:09

training so uh especially things like

06:13

providing access to University selecting

06:15

candidates from

06:16

universities evaluating um students but

06:21

also software to monitor cheating

06:23

because obviously that's these things uh

06:25

getting access to University passing

06:27

your exam uh are very important for for

06:30

for um for well basically for your

06:32

future career and uh therefore if by

06:35

mistake uh they consider that you have

06:37

been teaching well that's not true that

06:38

is a a serious

06:40

risk um very important uh for the public

06:44

sector just as well as for the private

06:46

is employment um that's first of all uh

06:50

the recruitment area so uh job

06:53

applications or evaluation of candidates

06:55

so uh sorting of CVS uh which by the is

07:00

meant in a large sense so it's not just

07:02

you have a job um and then you sort the

07:05

CVS uh by uh buy an artificial

07:09

intelligence system is also um you have

07:11

candidates the kind of offers you

07:13

provide to these candidates that also

07:15

included here uh but also um for example

07:19

the evaluation of workers or the job

07:22

termination uh all of this is high risk

07:24

well contribution to job termination of

07:26

course and then we have the access to

07:28

essential private and public

07:31

services um that was there from the

07:33

beginning um you're allware of of of the

07:36

big Scandal the had in the Netherlands

07:37

uh and it have been uh added a couple of

07:40

private uh uh private Services

07:42

especially in the financial area uh

07:44

credit scoring uh pricing of life and

07:46

health

07:47

insurance um now all of these are

07:50

high-risk cases and therefore they have

07:51

to uh comply with a certain number of

07:53

obligations and I'm I understand that

07:56

Laura is going to explain to you the

07:58

obligations so I'm going to skip that

08:00

part um and in particular for public

08:03

authorities there's the fundamental

08:05

rights impact assessment which I'm going

08:06

to skip as well um

08:09

the new the big new element in the uh

08:13

final version of the a Act is a Jal

08:15

purpose

08:16

AI um so here for the kind of big but

08:21

well very big but not hugely very big

08:25

systems you need you have additional

08:27

transparency requirements um so that the

08:30

people who might want to use a general

08:32

purpose system for a specific purpose

08:34

later on can actually fulfill the

08:36

obligations and then the most important

08:38

is the general purpose AI with systemic

08:40

risk that's the um the uh the these are

08:46

the general purpose systems which are

08:48

incredibly big um so the threshold here

08:51

has been set at the 10 of at the level

08:53

of 25 flops floating operations I have

08:56

given this speech a lot of times I've

08:58

never met anybody who actually knows

08:59

what a floating operation is uh but just

09:01

to give you an idea uh CAD GPT 3 no

09:05

sorry C GPT was developed with 10 at the

09:07

level of 18

09:08

flops uh now you might consider that you

09:11

know 10 18 and 25 is pretty close uh but

09:14

since we're talking about levels here

09:17

that means it's a million times bigger

09:19

than than chat GPD so they're very very

09:21

very big systems these are the systems

09:24

uh care uh which you know El musk talks

09:27

about it talks about AI taking over the

09:29

world the end of the the end of the

09:30

world as we know it um now if you have

09:34

these systems then you have obviously

09:36

the same obligations as from a lower and

09:38

you have to do a state-of-the-art model

09:40

evaluation which basically means you

09:41

have to try to to turn this system away

09:45

from what it's supposed to do and make

09:47

it do things that it's not supposed to

09:48

do and if you U succeed in doing that uh

09:52

then obviously you have to redo the

09:53

system until eventually it only does

09:55

what it's supposed to be

09:57

doing um now with the general property

10:00

AI comes another innovation in the AI

10:03

act compared to what we originally

10:05

proposed which is we now have a uh an

10:08

enforcement system which is basically

10:10

cut into two uh the specific AI has

10:14

always been uh the idea has always been

10:17

to implement that at a national level so

10:19

member states uh designate an authority

10:22

which can vary from Member state to

10:23

member State everybody has a choice so

10:26

some member states might want to um use

10:28

their data protection authority others

10:31

the cyber security Authority Spain as

10:33

far as I know has decided to create a

10:35

totally new Authority so that's you know

10:37

totally up to member states uh and they

10:39

will actually enforce all of the uh

10:41

rules on highrisk cases uh and these

10:44

member states then come together in the

10:45

European AI board which is really

10:47

glorified member states committee and

10:49

then you have two committees which

10:50

support the AI board one is the

10:52

scientific panel where you have the

10:53

academic experts telling them what's

10:54

possible and what's not possible and

10:56

then youve the you've got the advisory

10:57

form which is really where the

10:59

stakeholders are so you have industry

11:02

you have uh Academia Civil Society smmes

11:07

you know any kind of uh political group

11:09

which might be interested and uh would

11:12

want to uh know Express their opinions

11:15

uh and that's roughly the way it stays

11:17

and the new thing which we have is the

11:19

AI office uh I hasten to add that we did

11:22

not ask for that that's not an idea of

11:23

the European commission the European

11:25

Parliament decided that it was and the

11:28

council agreed that was necessary for

11:30

the general purpose AI uh to have one

11:33

centralized enforcement body in Europe

11:35

so the split is really specific AI

11:39

National level with coordination at

11:41

European level uh general purpose AI is

11:44

being regulated by the AI

11:49

office now the AI office actually was

11:51

launched uh two days ago on

11:54

Monday

11:55

um it is a bit bigger than just the

11:58

regulation um because and there I come

12:01

back to what I said at the beginning uh

12:03

we are not only about regulating AI we

12:05

don't think AI is very negative we also

12:07

think it very positive and therefore it

12:09

was felt it was felt and it was that

12:11

it's important that the AI office is not

12:13

only dealing with the negative Parts but

12:15

also for the positive parts so the AI

12:18

office is both responsible for the

12:20

regulation and the safety of AI but it's

12:23

also important for uh it's also uh

12:26

responsible for promotion of AI for

12:29

research of a in Ai and for innovation

12:31

of AI and for the use of AI for uh

12:34

positive

12:35

purposes um now as I said it was

12:39

launched two days ago but of course for

12:40

the moment it's still very much on paper

12:43

um simply because the AI Act is not yet

12:45

in force it will only come in for in

12:48

force on the 1st of August uh and

12:50

therefore we still basically have the

12:52

same people we had before uh we will

12:55

however start well we actually have

12:56

started hiring but the people are not

12:58

there yet uh hopefully the a office will

13:01

be full strength by the end of the year

13:02

and then it will actually be functioning

13:05

as a office for the moment it's a bit of

13:07

an empty shell but not totally empty

13:08

because there are some people there but

13:09

it's a shell which still needs to be uh

13:13

filled uh an important element of the a

13:16

act uh and here again I come back to the

13:19

fact that we quite positive what the

13:21

sandboxes uh the idea is that uh you

13:24

have one uh in each member State um and

13:28

basically basically the idea is that it

13:31

allows companies to develop AI with a

13:35

very easy access for regulatory

13:37

questions to the authorities so if you

13:40

if you develop your AI and you have a

13:41

question uh and you're not sure whether

13:44

you know that actually would be

13:45

compatible or not with the a act then if

13:48

you're in the sbox you actually

13:49

basically just pick up the phone and ask

13:51

uh and the reason one of the reasons we

13:54

did that is because one of the lessons

13:55

of the uh data protection regulation is

13:58

that very of often the problem is not

14:00

really what's allowed and what's

14:01

forbidden but the uncertainty that

14:02

people don't really know what they may

14:04

and what they may not do and the

14:06

sandboxes here are really an attempt uh

14:09

to uh address that uh yeah for companies

14:12

then the advantages that they um you

14:15

know get much faster access to to advice

14:17

and they don't need that many lawyers to

14:19

actually tell them what they can and

14:20

cannot do um the AI act uh enters into

14:25

Force progressively over the next couple

14:27

of years so the first first to come into

14:31

uh into Force are the prohibitions after

14:34

6 months so if the AI act enters into

14:36

force on the 1st of August they come

14:39

into force on the 1st of February next

14:41

year the prohibitions are first because

14:43

they're easiest to do you just have to

14:45

stop doing them you don't have to get

14:46

any certification or any controlled

14:48

Authority or anything you just have to

14:50

stop doing them you still need a

14:52

transition period because you might want

14:54

to replace a prohibited system by

14:55

another one which is not prohibited

14:59

uh and of course we will have to um uh

15:02

provide guidance on that uh in general

15:06

the a act uh was concluded as you may

15:10

remember very much under time pressure

15:12

and therefore there was quite a number

15:13

of issues which were well not left open

15:15

but maybe not as detailed as as it could

15:19

have been and um the result of that is

15:21

that the a office will have to draft

15:23

something like 60 um acts 60 60 texts

15:27

over the next uh well basically 24

15:30

months uh they can be codes of conduct

15:33

uh codes of practice delegated act

15:35

implementing acts there a whole variety

15:37

of of things to do and of course they

15:40

they have to follow the um entry into

15:42

Force so the first things we have to do

15:43

is the guidance on prohibited systems uh

15:45

we're working very much on that and then

15:47

the next one uh which comes uh is uh the

15:50

roots on general purpose AI uh and we're

15:53

also very much working on that right now

15:55

keeping in mind uh and here once again I

15:57

come back to at the beginning um you

15:59

know when we're drafting this we're very

16:01

much trying to ensure that the AI act

16:03

works but also to promote Ai and to make

16:05

sure that it doesn't get stifled and The

16:06

Innovation can be developed in Europe um

16:09

even within the framework of that um of

16:12

uh of that act last but not least um it

16:16

comes into into Force relatively quickly

16:19

but there's still two years to go uh for

16:21

the highrisk applications and three

16:23

years for the for the physical high-risk

16:25

applications that's why our commissioner

16:27

has created the AI Pact so it's an act

16:29

with a p in front of it a PCT where

16:31

basically companies can come forward and

16:34

promise to already apply the

16:36

rules uh ahead of time so uh instead of

16:40

applying them in 24 months they can

16:42

apply them already today and we've got

16:45

around 500 companies already

16:47

joining and the reason why that is

16:50

actually possible is because many of the

16:52

obligations we are asking companies to

16:54

do is really only state-of-the-art and

16:57

therefore many of large companies which

16:58

have state state-of-the-art AI they're

17:01

fulfilling them anyway and for them it's

17:03

an easy way uh to just sign up to the a

17:05

pack they don't really have to do much

17:06

of an effort just a bit uh to to make

17:09

sure that all of this is

17:10

compatible okay and with that I have

17:12

exceeded my time by five minutes I'm

17:14

sorry about that um but I hope you have

17:18

mercy with

17:19

me thank you very much um and did I

17:23

didn't um say but yeah we can ask a few

17:26

questions now and then uh move to the

17:29

next presentation so we have two

17:31

questions in in the in the chat uh which

17:34

one of these I I agree with Gabriel had

17:36

the same um the same doubt on the AI PCT

17:40

um because uh I also was not aware of

17:43

this um I just heard it a few days ago

17:46

in another presentation um and uh online

17:49

uh there is also an expression of

17:51

interest to join the AIP PCT um but it

17:55

seems that it's mostly directed to

17:57

Industries um

17:59

and the question would be if it's only

18:01

for public authorities so local Regional

18:05

National authorities can also enter into

18:07

the a act and contribute to it well

18:11

fundamentally yes uh but is of course

18:13

true and I did not mention the uh the

18:17

actual obligations which in which come

18:19

from the Air Act but it's the the

18:21

obligations are mostly for the providers

18:23

for the developers and therefore um I

18:25

guess it's more for uh AI provide us and

18:29

develop us and less for public

18:30

authorities having said that you know if

18:32

if public authorities develop their own

18:34

systems or in so far as they apply

18:36

systems like they're perfectly happy to

18:37

join I mean we we're perfectly happy for

18:39

them to

18:40

join yes and I believe yes that that is

18:44

true that most public authorities will

18:45

fall in the category of uh deployers but

18:49

uh then I think it could be interesting

18:51

also for for for them so that's that's

18:54

good to know and um thank you and then

18:56

there is a a second question in the in

18:59

the chat uh how do you foresee that the

19:01

understanding of uh what establishes the

19:05

different uh oh it's

19:07

not very clear um maybe we put the

19:12

question in the chat would you like to

19:14

jump pin a second I'm not sure if you

19:17

ask about the

19:19

risk uh yes I'm talking about the risk

19:23

ah yes perfect so how it's um uh is

19:27

defined what's I can what's not I'm not

19:30

sure if that is a question well I mean

19:33

the we have a different definition in in

19:35

the a act what is a high risk and

19:37

basically there a that's a list you know

19:39

how how grave it can be uh for the

19:41

people affected How likely people are

19:43

affected what kind of particular groups

19:45

Etc I mean it's an I don't remember

19:47

article but it's a long list and um we

19:49

will do a revision uh of the of the

19:52

high-risk uh cases of the list of

19:54

high-risk cases regularly and basically

19:56

we'll take the exact uh um the exact

19:59

criteria which are in art in in that

20:01

article and we just apply them and see

20:04

uh what else might be considered high

20:06

risk or might might need to be

20:08

considered high risk now the idea of

20:10

course is that uh for things like that

20:12

you have the European AI board because

20:14

that's where you will have the national

20:15

authorities uh and the national

20:17

authorities will deal with these things

20:18

every day and therefore they will

20:20

realize if something comes up uh is

20:23

developed comes to the market uh which

20:26

is a highrisk case and which possibly

20:27

should be addressed

20:29

uh and then they would actually come to

20:30

the I board and tell the other National

20:32

authorities that and then the other

20:34

National authorities which may or may

20:36

not have made the same experience I

20:38

would then come to the conclusion that

20:40

maybe we should be looking at that and

20:41

then we will look at that according to

20:42

the criteria which which have been which

20:45

are set out in in article I think it's

20:46

Article

20:49

Five yeah thank you and there's another

20:52

couple of questions and also another one

20:55

from from my side but I I will give the

20:56

floor to laa so that she can present um

21:00

and then I will probably there will be

21:01

other few questions for you Martin um

21:04

but thank you in the meantime um and uh

21:08

laa if you want to go ahead with your

21:11

presentation I do just let me share my

21:22

screen it might just take a second from

21:24

my end because I'm needing to give um

21:27

permission to

21:29

uh the app so try and get it up in the

21:34

meantime that would be very

21:35

helpful

21:37

yes no

21:45

voice let me open your

21:49

presentation I have the PDF

21:54

I okay

22:04

strange let me try on my

22:07

end might just make

22:11

[Music]

22:13

it open but it doesn't

22:21

show let me try again

22:42

yes perfect it works can you see it yes

22:46

fantastic all right let me

22:52

just I'm sorry I don't know if you can

22:54

see the full screen or just the slide

22:57

just the slid

22:59

uh full screen would be great but

23:01

otherwise it's uh it's also fine zooming

23:05

in would be also okay all right let me

23:08

just put it inside sh up then so we can

23:10

get there all right sorry technical

23:13

delays um my name is Laura Lazaro

23:15

Cabrera I'm a council and program

23:17

director for equity and dat at CDT

23:19

Europe that's the center for democracy

23:22

and Technology we're brussels-based the

23:24

nonprofit Civil Society organization

23:26

that works towards the preservation of

23:28

human rights in EU law and policy and

23:32

today I'm going to be diving with you

23:35

further into the obligations that the AI

23:37

act creates for providers and employers

23:40

within the AI act taxonomy um just to

23:43

situate my presentation within what's

23:45

already been said uh you remember the

23:47

traffic light system that was mentioned

23:49

by Martin um essentially here we're

23:51

going to be talking about the

23:53

obligations imposed in relation to

23:55

high-risk AI systems so you remember

23:58

there or the unacceptable um types of AI

24:01

so that's a red light the high-risk a

24:03

systems which are the orange light and

24:05

then um I guess the yellow light would

24:07

correspond to to those AI systems that

24:10

present specifically a transparency risk

24:12

but we're talking about the orange ones

24:13

now so the ones are not prohibited but

24:15

just

24:17

below just moving to the next slide for

24:20

today I really have three goals uh we

24:22

don't have a lot of time so I'll take

24:24

you through these briefly the first goal

24:26

is to uh be in a position where we can

24:28

differentiate what obligations

24:30

correspond to Providers and what

24:31

obligations correspond to employers the

24:34

second one is to uh have a basic

24:37

understanding um of the obligations of

24:39

the employers and I say basic because we

24:43

could spend hours talking about the

24:44

detail of the obligations and also as

24:47

Martin already mentioned there will be a

24:49

lot of um outputs coming out from the

24:52

Commission in the AI office specifically

24:54

so we know uh from maron's presentation

24:56

we will be expecting further guidelines

24:58

on high-risk a systems but there are

25:00

also guidelines forthcoming on

25:01

prohibitions for example so there is a

25:04

lot of ink yet to run um on many aspects

25:07

of the AI act so this is just a

25:09

preliminary overview um of those

25:11

obligations and lastly I'd like to take

25:14

you through a few key considerations uh

25:16

for you to take into account prior to

25:18

deploying an AI system so here I'm going

25:20

to be moving us away from strict legal

25:22

compliance and a little bit more into

25:25

the territory of best practice

25:28

so without further Ado um what are we

25:31

talking about when we talk about uh the

25:33

role of public authorities in the AI act

25:36

um the taxonomy is broader than just

25:38

providers and deployers we're also

25:40

talking about um Distributors and

25:42

importers but for the purposes of of

25:45

this presentation and this audience it

25:47

makes sense to focus on these two

25:48

concepts providers and

25:51

deployers as was already mentioned

25:53

really the bulk of the obligations rests

25:56

with providers specifically so from a

25:58

compliance perspective you probably

26:01

don't want to be rushing to be a

26:02

provider unless you have the

26:03

infrastructure already in place to do so

26:05

properly um and as you can see from the

26:08

definition a provider can include a

26:10

Public Authority uh so it will be for

26:12

instance a Public Authority that

26:13

develops an a system or has one

26:16

developed and placed on the

26:18

market however I think the bulk of you

26:21

here in the audience that represent

26:22

local authorities will most likely um

26:25

have your Authority fall within the

26:26

category of the employer if you choose

26:28

to to deploy an AI system so that will

26:32

be uh any entity including a Public

26:35

Authority that uses an AI system under

26:37

its Authority but and this is a key

26:39

point a deployer can become a provider

26:42

within the terms of the act under a few

26:44

circumstances so there's three uh here

26:47

on the side I've only put two because I

26:49

think those are the most likely ones um

26:51

the first situation is if the deployer

26:53

makes a substantial modification to a

26:56

high-risk a system such a remains a

26:58

high-risk AI the second one is if the

27:01

deployer modifies the intended purpose

27:03

of the AI system including if it is a

27:05

general purpose a model but we won't be

27:07

getting too much into that and if now

27:10

that the purpose is modified that brings

27:13

the AI system into the high-risk

27:14

category whereas before it was not in

27:16

that category and there's a third

27:18

instance where the deployer puts its

27:20

name or trademark on the highrisk K

27:22

system uh which is I think a foreseeable

27:25

instance where the deployer will become

27:27

a provider so be warned of these

27:29

distinctions because the moment you step

27:31

into this territory you could then be

27:33

holding yourself to the higher standard

27:35

the more complex obligations imposed by

27:38

the

27:39

act so ahead of jumping into the

27:42

deployer obligations um I'd like to

27:44

quickly run you through the obligations

27:46

applicable um to providers so there's a

27:50

few technical ones um for instance uh

27:52

ensuring there is a quality management

27:54

system in place in relation to the high

27:56

risk AI they deploy keeping technical

27:58

documentation as well as logs um but

28:01

more importantly and this is the bulk of

28:03

the of the obligations it's to ensure

28:06

that there is a Conformity assessment

28:08

undertaken in relation to the specific

28:10

high-risk AI um that is being placed on

28:13

the markets and as many of you might

28:16

already know this is a process that

28:18

predates the AI act uh Conformity

28:20

assessments have been around uh in

28:22

product safety legislation for a long

28:24

time and because the AI Act is at its

28:26

hard product safety legislation as well

28:28

as well even though it brings in other

28:29

other considerations it's something

28:31

that's been essentially adapted to the

28:34

AI world but has been around for a

28:36

while um other obligations that tie in

28:40

with the the plers that obligations will

28:42

have include the registration of

28:44

high-risk a systems in the database um

28:47

so the commission will have to develop a

28:49

database recording all of the high-risk

28:52

AI uses in the continent and this will

28:55

obviously include an obligation on

28:57

provider to register the AI systems on

29:00

the database um similarly providers have

29:03

an obligation to disclose an AI system

29:05

in certain

29:06

circumstances um though we will come to

29:08

see that employers have a similar

29:10

obligation in place and lastly they have

29:12

an obligation to ensure that they're

29:14

providing proper instructions for use um

29:17

this one is particularly important for

29:19

the employers because the employers will

29:21

have an obligation that will come to

29:23

soon to actually um ensure that these

29:27

disclosure these instructions are being

29:29

followed uh so just putting that out

29:31

there for you all to take into

29:36

account now looking at what deployers uh

29:39

must specifically do Under the AI act um

29:42

so we already talk about um the

29:44

registration of the high-risk a system

29:46

in the relevant database this is the

29:49

case already for for providers to do but

29:52

the employers that are our public

29:53

authorities have a complementary

29:55

obligation to ensure that a specific

29:58

section of the information that's to be

30:00

put in the database is filled out uh so

30:03

public authorities will specifically

30:04

have to look into this and make sure

30:06

that they have um the relevant

30:08

information which will then be depending

30:10

on the type of high-risk a system be

30:12

publicly available um for other people

30:15

to

30:16

consult there's also a few safety

30:18

obligations for the employers to take

30:20

into account um and these come in in

30:24

three different flavors so the first one

30:27

is to follow instructions for use

30:29

already developed by the provider as

30:31

well as ensuring that there are

30:33

sufficient Technical and organizational

30:35

measures in place to be able to actually

30:38

uh follow these

30:39

instructions uh similarly the employers

30:42

have to ensure have a certain obligation

30:44

at least to ensure that the AI system is

30:47

working properly so they will have to

30:50

have systems in place so that human

30:52

oversight can happen and individuals in

30:55

charge of this oversight will need to

30:56

have the necessary competence training

30:59

Authority and support to be able to do

31:02

so um lastly they will have to monitor

31:06

AI systems for um two things that are

31:09

defined extensively by the AI act so

31:11

systemic risk or alternatively the

31:14

likelihood of the high-risk a system

31:16

resulting in a serious incident again

31:18

another concept um extensively covered

31:20

by the by the AI act so it's not nothing

31:23

um of course providers have to make sure

31:25

that their uh high-risk a assistants uh

31:28

function properly but the plers will

31:30

have a significant role in monitoring

31:32

that this is the case even after the

31:34

provider has made this

31:36

assessment another thing that um was

31:38

mentioned in passing in the previous

31:40

presentation is the obligation tot take

31:42

a fundamental rights impact assessment

31:44

now this is a key obligation and it's

31:46

one that again applies specifically to

31:49

the employers that are public

31:51

authorities or in the words of the act

31:53

the employers who are governed by public

31:55

law now the fundamental rights in

31:58

assessment will be mandatory in relation

32:00

to highrisk a systems and uh the

32:04

template for it will be developed by the

32:06

AI office so there isn't one already in

32:09

place but once there is then public

32:12

authorities there are deployers surve

32:14

systems will need to fill out that

32:15

templat and ensure that they send it on

32:18

to the relevant Market surveillance

32:19

Authority at National level and this is

32:22

something that they need to have in

32:23

place prior to the deployment of an AI

32:25

system so this is really a key item

32:28

um to put front and center in the in the

32:30

compliance list there are a few special

32:33

obligations that employers have to take

32:35

into account as well and that the

32:38

special the use of the special uh word

32:40

is entirely mine but I'm using it to

32:43

Showcase that these obligations will be

32:45

dependent on the context uh or the

32:47

setting in which the deployers are

32:50

seeking to deploy the AI system so

32:52

firstly um in the situation where a

32:55

deployer has control over the input data

32:58

they will have to ensure that that data

33:00

is sufficiently representative in view

33:02

of the purpose of the AI

33:04

system similarly uh if the deployer is

33:08

choosing to deploy the high-risk a

33:10

system in their workplace then they will

33:12

have an obligation to inform the

33:14

affected workers as well as workers

33:16

representatives and uh and this is one

33:19

of the trickier uh types of highrisk a

33:21

systems to use if they're using um post

33:24

remote biometric systems so that is

33:26

systems that carry out biometric

33:28

identification but not real time they

33:31

will have an obligation to obtain

33:33

authorization for this use within 48

33:35

hours and they will have to submit an

33:37

annual report to Market surveillance

33:38

authorities and data protection agencies

33:41

so there are a few uses of AI uh

33:44

classified as high risk that still come

33:46

with special obligations in view of the

33:49

risk that they're likely to

33:51

present there are other obligations that

33:54

are more user facing um so for instance

33:57

uh employers will have the obligation to

33:59

inform individuals if AI is used to make

34:02

decisions about them or to assist in

34:03

making decisions about them many of you

34:06

will remember uh from Lessons Learned in

34:08

the data protection context uh automated

34:11

decision- making is already prohibited

34:13

to a certain extent but the AI act takes

34:15

this obligation or this prohibition a

34:17

little bit further and goes as far as

34:19

the state if you're making a decision

34:21

that's assisted by AI then you have to

34:23

tell individuals um similarly there's an

34:26

obligation to provide a clear and

34:28

meaningful explanation of any AI

34:30

assisted decision making and here um

34:34

this is not so much an obligation on

34:36

deployers as it is a right uh for

34:38

individuals however effectively

34:40

translates into an obligation so the ACT

34:42

creates a right for individuals to seek

34:44

this type of explanation but in turn

34:46

that will mean or by extension that the

34:49

employers will have an obligation to

34:50

provide it so this is important as well

34:53

ensuring that there is an infrastructure

34:54

in place to manage these requests and

34:56

address them

34:58

uh and lastly disclosure obligations so

35:01

we already covered that providers have a

35:03

disclosure obligation in some instances

35:06

there will be a concurrent disclosure

35:08

obligation for deployers as well so for

35:11

example uh if a deployer is using um an

35:15

emotional recognition or biometric

35:17

categorization AI system they will have

35:19

to disclose that unless the use is for

35:22

the prent the prevention detection or

35:24

investigation of criminal offenses

35:27

if uh similarly a deployer is using text

35:31

generating AI with a specific purpose of

35:33

informing the public on matters of

35:35

public interest again they will have to

35:37

disclose unless uh similarly the

35:40

criminal investigation exception applies

35:42

or alternatively the AI uh has undergone

35:45

a process of human review or editorial

35:48

control and there is somebody who holds

35:50

editorial responsibility over this

35:53

content um and finally when it comes to

35:55

deep fakes which uh some of you may may

35:57

have missed the AI act explicitly

35:59

addresses and also the fines um again

36:02

will be an opportunity to disclose

36:04

unless once more the uses um authorized

36:07

for the detection prevention or

36:09

investigation of

36:12

crime so to really finish I'd like to

36:16

take us through um a deployer checklist

36:19

things to take into account prior to

36:20

deploying AI as has already been

36:22

mentioned there's still time before the

36:25

relevant provisions of the AA become

36:27

applicable

36:28

um it is foreseen that the ACT will

36:30

become into Force as a piece of

36:31

legislation in July this year but

36:34

obviously the different sections of the

36:36

ACT are going to be becoming applicable

36:39

in a staggered manner first one's uh the

36:42

first section to become applicable or

36:44

the article will be the one of

36:45

prohibitions and then uh further down

36:47

the line we'll be looking at the

36:49

sections on high-risk a assistance which

36:51

are the ones we're touching on here so

36:52

there's still time but these are

36:54

considerations um to have in place

36:56

nonetheless before then

36:58

so to start with obligations outside of

37:00

the AI act the AI act States in several

37:03

places that it's without prejudice

37:06

essentially to pre-existing legislation

37:08

on a series of areas but the one I want

37:11

to talk about specifically is the

37:12

general data protection regulation and

37:15

to give you an example of how important

37:18

data protection is in the context of the

37:19

AI act um within the summary that the

37:23

public authorities will have to provide

37:25

in relation to high-risk AI systems to

37:27

include in the commission database they

37:30

will need to provide also a summary of a

37:32

data protection impact assessment if

37:34

they're compelled by law to carry one

37:36

out so these two um are intimately

37:39

linked and it's really relevant to

37:41

consider to what extent the uh

37:44

deployment of an AI comes with

37:46

additional obligations so you can think

37:49

of providers and deployers as uh

37:51

controllers and processors respectively

37:54

following the terminology of the gdpr so

37:57

that's

37:58

number one uh number two whether the AI

38:01

being deployed is high risk so we

38:04

covered the different instances or the

38:06

different uh use cases that could fall

38:09

as or be categorized as high risk within

38:12

the act by way a reminder if any of you

38:15

is Keen to go back to the text of the

38:17

act after this presentation you'll find

38:18

those irisk categories in part in Annex